asp.net| Access | Network for many ASP.NET developers, access to shared resources is a major challenge that can be met when developing Web Forms and Web services. Microsoft Inc. 's. NET has new user licensing and authentication measures, most security-related articles and books explain form authentication in considerable length, but understanding the ASP.net security architecture in conjunction with IIS, network, and operating system security is the key to providing the best solution.
Figure 1 depicts the basic security representations provided by IIS and ASP.net, which are fundamentally different than ASP security. The above diagram is from the MSDN Web site. When a Web request occurs, the following events occur sequentially.
1, the user issued an HTTP request.
2. When a Web request occurs, it is obtained by IIS running with the system account. The system account is very powerful and has all types of permissions. IIS authenticates according to the type of authentication selected and creates an access token for each authenticated user. If Anonymous authentication is selected, it creates an access token for the anonymous user, which by default is Iusr_machine. Additionally, ISS is certified according to the configured authorization type. For example, IIS can be configured to accept requests only from specific IP addresses.
3. IIS passes the request and the authenticated user's Windows access token to Aspnet_isepi.dll, a ISAPI extension registered to handle the. aspx URL. Aspnet_isepi.dll is an IIS module that is a bridge between the IIS and ASP.net run-time environments. ASPNET_ISAPI forwards the request to the worker process through a named pipe.
4, the worker process is hosting the aspnet_wp.exe of the CLR. By default, worker processes run with the ASPNET account. When the ASP.net framework is installed, the local account is created. Unlike the powerful system account, the ASPNET account has very limited functionality. Asp. NET authenticates the requester according to its authentication configuration. Authentication is configured in XML format in the Web.config file for the project. If ASP.net is configured for Windows authentication, it will accept any token from IIS without any other authentication. In addition, ASP. NET also authorizes access to the requested resources and files. For example, Fileauthorizationmodel can be used to check whether a user has the required permissions to access the requested resource. For Windows authentication, the user's access token is an ACL.
5. If the entire process develops to this point, the application software accesses the resource using a specific identity. By default, the ASPNET process account provides this identity. However, if impersonation is allowed, you can use the user's original identity or configure impersonation to enable the application to run as a specific identity.
Now that the security measures have been clarified, the user can access the data, assuming that the NTFC permissions are set to network resources. Before further development, there are two important issues to be addressed. One is to specify and define the tasks to access files and folders on a UNC share, in other words, to access the files and folders that are shared on the network. Another problem is determining the identity that is used to complete the resource access task. In order to complete the first task, you need to complete the second task first.
There are several ways to access network resources:
• Use asp.net process identity
• Use anonymous user accounts
• Using the LogonUser API
• Use of service components (Enterprise Services)
The use of ASP.net process identities seems to have obvious flaws. By default, when an application tries to access a resource, the ASP. NET process identity to provide an identity (ASPNET). The simplest solution is to create a local account with a user name and password that matches the remote computer. Most businesses have huge intranets, so this approach is impractical. Also, it is important to know who is accessing the resource. Although this method is sufficient to access network resources, it is not efficient; the second method is to use anonymous accounts, such as Iusr_machine. As with the above, the efficiency of this method is obviously not high; the third approach is to use the LogonUser API, which requires a specific identity to be modeled by invoking the Win32 LogonUser API, You can also impersonate by configuring the element in the ASP.net project Web.config file. According to an article on MSDN, users are not advised to use these methods and should avoid using them on Windows 2000 servers because they require that the ASP.net account process be granted "run as part of the operating system" to greatly reduce the security of the Web application. Therefore, this method is also not ideal. Finally, and most feasible, the solution to this problem is to use a service component that is configured to run as a fixed identity for accessing network resources. This approach sounds daunting, but it is the best solution at the moment, and its architecture is shown in the following illustration:
Meyer in http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ The one by one articles on security published in Secnetch08.asp say that using service components in an Enterprise service server application has the following benefits:
• Flexibility in the use of identity is not necessarily dependent on asp.net identity.
• Trusted or higher-privileged code can be isolated from the main web application.
• Increased process hops increase the difficulty of the attack, making it more difficult for hackers to cross process boundaries and use processes with higher privileges.
• If you need to manually process the impersonation of LogonUser API calls, we can do this in a process that is isolated from the main web application.
Develop service components
A composition that accepts services from COM + is called a service component. In order to develop service components, developers must have a wealth of COM + technical experience. COM + applications are not traditional applications, and they do not contain a user interface. COM + applications are actually components of the application, COM and. NET containers, not a new version of COM, nor a combination of COM and DCOM, but a technology inherited from MTS (Microsoft Transaction Services).
The following are the steps required to develop a service component:
1, create a new class library project to develop a middle-tier component as a Web application class library.
2. Add the appropriate classes, methods, and properties. Because of the need to access files and folders, we need to introduce System.IO namespaces.
3, create a Web Forms application.
You can now test the components. In order to achieve higher security in an enterprise service application, you must use Windows authentication to implement impersonation, which can be implemented in the Web application's Web.config file. It enables the service component to authenticate the caller and make authorization decisions based on the caller's identity. During development, although the component is not yet a service component, it can still provide sufficient security to access shared files and folders.
To test, you need to compile the class first, and then add the object's references to the Web application. Initialize the class as shown below:
Dim objenterprise as New accessingsharedresources.dal_accessnetwork ()
4. Create a strong named combination
• By selecting start Menu--> Programs--> Microsoft Visual Studio. NET--> Visual Studio. NET Tools--> Visual Studio. NET Comman D Prompt Run the visual Studio. NET Command Prompt.
• Locate the directory where the project is located and enter the following command: Sn-k keypair.snk.
• The above command creates a public/private key pair that the Visual Studio. NET IDE can use to give our components a strong name. Also note that you created a keypair.snk file in the project directory.
• Open the AssemblyInfo.vb File Code window and add the following assembly properties:
<assembly:assemblykeyfile ("Keypair.snk") >
• Compile the project. This creates a strong-named combination.
5. Add the object to the GAC (Global Assembly Cache)
6. Add objects to the GAC (Global combo buffer)
• Open the. NET Framework Configuration tool by clicking Start Menu--> Programs--> Administrative Tools--> Microsoft. NET Frameworks configuration.
• Click on the Select Assembly cache--> Select View List of assemblies in the Assembly cache to browse all the assemblies in the GAC.
• Right-click the assembly Cache icon and select Add from the pop-up menu.
• Locate the AccessingSharedResources.dll file in the bin directory of the project and double-click it.
Note: If the command prompt line window is still running, enter gacutil/i AccessingSharedResources.dll, or you can add the object to the GAC. This is the second way to add an object to the GAC.
7, add the System.EnterpiseServices.dll reference
8, the introduction of appropriate Enterprise Services name space
· Imports System.EnterpriseServices
· Imports System.Runtime.CompilerServices
· Imports System.Reflection
9, in each class inherits the ServicedComponent class
Public Class Dal_accessnetwork
Inherits ServicedComponent
10. Add the component attributes associated with service components in the AssemblyInfo.vb file that supports service components.
• Introduction of System.EnterpriseServices name space
• Add the following code:
' COM + application name
Assembly:applicationname ("Accessingsharedresources")
' COM + activation type
11, setting AssemblyVersion:
According to the article on MSDN (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ dnnetsec/html/secnetch09.asp) said that when the new project was created by Microsoft Visual Studio (R). The default AssemblyVersion property generated by the net development system is
Although this conforms to strict COM rules, it is still very annoying in the development process to prevent existing, manageable and managed customers from destroying it. During the testing and development process, consider setting an explicit version by using the composite body-level AssemblyVersion property shown below:
This setting prevents a new CLSID from being generated each time the project is compiled.
12, generate a new COM + application, register the group in a new COM + application
• Run Visual Studio. NET Command Prompt.
• Find the location of the DLL file in the bin directory.
• Enter regsvcs/c AccessingSharedResources.dll and type a carriage return.
13, modifying the Web application
• Add a System.EnterrpiseServices.dll reference
• Add an Imports System.EnterpriseServices statement to the Web client software
At this stage, the service component is complete. We can consider this component as a COM + application software.
• Run--> services Manager by selecting Start--> Programs--> administrative Tools Component Component services.
• Extended console Root--> Component Services--> Computers--> my Computer--> COM + Applications--> accessingsharedresources--> Components.
Advantages and Disadvantages
The advantages of using the service component are as follows:
• The flexibility to use identity, we do not need to rely solely on asp.net identity.
• Trusted or highly privileged code can be isolated from the main web application software.
• Increased process hops increase the security of the system, making it more difficult for hackers to cross process boundaries and approach higher-privileged processes.
• If you need to process impersonation with LogonUser API calls, we can do it in a process that is isolated from the main web application software.
The disadvantages are as follows:
• Calling service components is not as fast as local. NET objects quickly, the performance of the application software is affected.
• Require extra steps and code.
• with Local. NET objects are more difficult to manage than.
• You need to install DLLs in COM + application software.
Conclusion
Despite the basic functionality of COM +, such as object concentration, things support, synchronization, event tracking, we have finished our object. Install local only in COM + applications. NET class and adding several lines of special COM + code is sufficient to complete the task of accessing the shared resource on the network.