Asp.net| Security
I. PROGRAMME FRAMEWORK
This scenario is simple--it uses a Web service to package asp.net 2.0 providers and exposes the credential management to remote clients, and you can even add some lost functionality to the architecture. Then, while providing a rich user interface and comprehensive credential management experience, use a Windows Form application to consume the Web service. The Web service profile will contain instructions that are specific to the voucher store. However, this does mean that all applications managed by the Web service will be able to share these directives.
Although you can build the Web service from start to finish, which means that you first wrap them and define the Web service with static methods roles and membership, I prefer a contract-driven approach: first, what would be the best interface for performing a variety of operations, And don't think about how to implement them until you need them. Doing so ensures that the interfaces exposed by the Web service support all required administrative functions and also reduces the coupling between the client application and any implementation details, such as the wrapper provider.
A better feature of ASP.net 2.0 is that it supports Web service interfaces, and you can define and let the Web service expose logical interfaces, just like class performance. To do this, you need to modify your interface with the WebServiceBinding attribute and expose a single interface method via the WebMethod attribute. Then you will have a class that derives from this interface and implement the interface, and the compiler will ask you to support all the methods of that interface.
To manage and interact with the credential store and Web service configuration, I've defined 5 interface-iapplicationmanager,imembershipmanager,ipasswordmanager, Irolemanager and Iusermanager.
(i) Iapplicationmanager
The Iapplicationmanager interface is shown in Listing 2 of the attached source code, allowing the administrator to delete a specified application-that is, remove all references to it from the database and delete all its users and roles. Iapplicationmanager allows all applications to be removed from storage, and it can return a list of all applications in that store. Note that this interface is defined as an internal interface that is-public or internal visibility modifiers are meaningless to Web service interfaces. Each method on the interface is decorated with the WebMethod property and has a short description of the method. In addition, all methods that access the credential store are set to use transaction processing. Since then, both operations-such as deleting an application and creating a user will be executed in complete isolation from each other-can guarantee the atomicity of complex operations such as removing all users. Web services in. NET 2.0 can only start a new transaction. And it is controlled by the TransactionOption attribute of the WebMethod property. The last point is to apply the WebServiceBinding attribute to the interface. This specifies that the interface is a Web service interface that both customers and services can bind to. To expose the interface to the outside in a WSDL contract, you need to use a shim class. The design of this shim class is necessary because you cannot expose an interface as a Web service, and you cannot apply the WebService attribute on it. This shim class will also be defined for the interface namespace through the WebService property. The following code shows the definition of the Iapplicationmanagershim abstract class.
[WebService (Name= "Iapplicationmanager",
Namespace= "Http://CredentialsServices",
Description= "Iapplicationmanager is used to manage
Applications. This Web service was only
The definition of the interface. You
Cannot invoke method calls on it. ")]
Abstract class iapplicationmanagershim:iapplicationmanager{
public abstract void Deleteapplication (string application);
Public abstract string[] Getapplications ();
public abstract void deleteallapplications ();
}
Because Iapplicationmanagershim is a class, you can expose it as a Web service. Because it is an abstract class and all methods are defined as abstract methods, you do not need (and cannot) implement any methods. To make it look like the interface, Iapplicationmanagershim sets the property name of the WebService property to Iapplicationmanager (instead of the default class name). Now, you can use the Iapplicationmanager.asmx file to expose the interface.
<%@ WebService language= "C #"
Codebehind= "~/app_code/iapplicationmanagershim.cs"
class= "Iapplicationmanagershim"%>
Now, if you browse to the Iapplicationmanager.asmx page, you will see the interface definition. You can use the WSDL.exe serverinterface option to enter the interface definition into the client or any other service that you want to bind to the interface definition.
(ii) Imembershipmanager
The Imembershipmanager interface (see listing 3 in the attached source code) allows you to manage all aspects of a user account-Create and delete user accounts, update user accounts, retrieve user account details, and retrieve all users in an application.
(iii) Irolemanager
The Irolemanager interface allows you to manage all aspects of the logical role-creating and removing roles, adding and removing users from roles, and retrieving all roles in an application.
[WebServiceBinding ("Irolemanager")]
Interface irolemanager{
[WebMethod (...)]
void Createrole (string application,string role);
[WebMethod (...)]
BOOL DeleteRole (string application,string role,bool throwonpopulatedrole);
[WebMethod (...)]
void Addusertorole (String application,string UserName, string role);
[WebMethod (...)]
void Deleteallroles (String Application,bool throwonpopulatedrole);
[WebMethod (...)]
String[] Getallroles (string application);
[WebMethod (...)]
String[] GetRolesForUser (string application,string userName);
[WebMethod (...)]
String[] Getusersinrole (string application, string role);
[WebMethod (...)]
void Removeuserfromrole (String application,string userName, string rolename);
More members
}
(d) Ipasswordmanager
This Ipasswordmanager interface mainly provides read-only information related to the application password policy.
[WebServiceBinding ("Ipasswordmanager")]
Interface ipasswordmanager{
[WebMethod (...)]
BOOL enablePasswordReset (string application);
[WebMethod (...)]
BOOL enablePasswordRetrieval (string application);
[WebMethod (...)]
String Generatepassword (string application,int length,
int numberofnonalphanumericcharacters);
[WebMethod (...)]
BOOL requiresQuestionAndAnswer (string application);
[WebMethod (...)]
String ResetPassword (String application,string userName);
[WebMethod (...)]
String GetPassword (String application,string username,string passwordanswer);
[WebMethod (...)]
void ChangePassword (String application,string username,string newpassword);
More members
}
Typically, the policy is stored in the application's configuration file. This policy includes whether to start password reset and retrieval, password strength and password response strategy, and so on. You can also use Ipasswordmanager to generate a new password corresponding to the password strength policy. In addition, Ipasswordmanager can be used to reset, change, or retrieve the password of a specified user.
(v) Iusermanager
The Iusermanager interface allows you to validate user credentials, retrieve role identities, and obtain all roles for which the specified user is one of its members. This interface is used for testing and analysis purposes.
[WebServiceBinding ("Iusermanager")]
public interface iusermanager{
[WebMethod (...)]
BOOL Authenticate (String applicationname,string UserName, string password);
[WebMethod (...)]
BOOL IsInRole (String applicationname,string UserName, string role);
[WebMethod (...)]
String[] GetRoles (string applicationname,string userName);
}
[1] [2] [3] Next page
