ASP.NET application security solution

xiaoxiao2021-03-20  215

Abstract: The concept of ASP.NET application authentication, introduces various authentication modes and compared, which describes the mechanism for selecting authentication mode, and gives a form of implementation based on form authentication mode. Keywords: Authentication Authentication ASNET Web App 1. Any successful application security policy basis is a secure authentication and authorization means, as well as secure communication providing confidentiality and integrity of confidential data. Authentication is a process identifying an application client. The clients here may include end users, services, processes, or computers, by authenticated clients as the main body (Principal). Authentication can occur across multiple layers of the application. End users start authenticate by the web application, typically performed according to the username and password; the request for the end user is processed by the intermediate layer application server and the database server, which will also authenticate and process these requests. Figure 1 lists various security technologies and the main verification methods provided by each technology. 2. As shown in Figure 1, the authentication mode provides the following authentication on the .NET framework: ASP.NET authentication mode Enterprise Services authentication SQL Server authentication 2.1 ASP.NET authentication mode ASP. NET authentication mode includes Windows, Forms, Passport (passport), and NONE. 2.1.1 Windows authentication When this authentication mode is used, ASP.NET depends on IIS to verify the user and create a Windows Access Token to indicate the identity of the verified. IIS provides the following authentication mechanisms: Basic authentication brief authentication Integration Windows Authentication Certificate Authentication Anonymous Authentication 2.1.2 Passport Authentication When using this authentication mode, ASP.NET uses Microsoft Passport's centralized authentication Service, ASP.NET provides a convenient package for the features provided by Microsoft Passport Software Development Pack (SDK). This SDK must be installed on the web server. 2.1.3 Form authentication This authentication method uses the client redirection function to forward the user who cannot pass authentication to a specific login form, requiring the user to enter its credential information (usually the username and password). These credential information is verified, the system generates an authentication ticket (Ticket) and returns it to the client. Authentication tickets can maintain the user's identity information during the user's session, and the list of roles belongs (optional). 2.1.4 None uses this authentication mode, indicating that you do not want to verify the user, or use a custom authentication protocol. 2.2 Enterprise Services Authentication Enterprise Services Authentication By using the underlying remote procedure call (RPC, Remote Procedure Call) transfer structure, this structure uses the operating system security service provider interface (SSPI, Security Service Provider Interface) . The client of the Enterprise Services application can be verified using the Kerberose or NTLM authentication mechanism.

2.3 SQL Server Authentication SQL Server can via the Windows Authentication Mechanism (Kerberose or NTLM), or by its built-in authentication scheme-SQL authentication mechanism verification mechanism. There are usually two available verification schemes. 2.3.1 SQL Server and Windows clients can be used to connect an instance of SQL Server via SQL Server authentication or Windows authentication mechanism. This approach is sometimes referred to as a mixed mode authentication. 2.3.2 Windows Only clients must connect to an instance of SQL Server by using a Windows authentication mechanism. 3. Selecting an authentication mechanism to design a distributed application authentication is a challenging task. In the early stages of application development, appropriate authentication design helps to reduce many security risks. 3.1 Comparison users of various authentication mechanisms Do you need to have a Windows account in the server domain to support the delegate whether you need a Windows 2000 client and server credentials whether it is clear (requires SSL) whether it supports non-IE browser basics authentication? Is a brief authentication Yes No No NTLM authentication Yes No No No Kerberos authentication Yes Yes No No certificate authentication No Yes No Yes Yes Form authentication No Yes Yes Your passport authentication No Yes No Yes 3.2 Selecting the Authentication Mechanism The factors that need to be considered Identify that when the user has a Windows account with a trusted authority (which can be accessed by the application web server), using the Windows authentication mechanism is suitable. A critical advantage of credential management of Windows authentication is that it can use the operating system for credential management. When using non-Windows authentication methods, such as form authentication, you must carefully consider where and how to save user credentials. The most common way is to use the SQL Server database or use the User object located in Active Directory. Identify whether the flow needs to implement an analog / entrustment model, and the secure context of the original caller is run across the operating system level - for example, to support the audit or subtle authorization for each user. Does the browser type application have IE browser? Or do you need to support a user base with a hybrid browser? We need to consider the above factors based on the characteristics of various methods. 3.3 Selection Decision Process of the Intranet System See Figure 2. 3.4 SQL Server User Verify that verification of the client of SQL Server, generally speaking that Windows authentication is more secure than SQL Server authentication, mainly below: The former is responsible for managing the credential information of the user, and the user's credentials will not Transfer on the network. You can avoid embedding your username and password in the connection string. The login security can be improved by password expiration time, minimum password length, and account lock request after multiple invalid logins. This can be seen in the threat of a small dictionary attack. However, Windows authentication is not allowed in some specific application scenarios, for example: database clients and database servers are separated by a firewall, resulting in unable to use Windows authentication. The application needs to connect to one or more databases using multiple identifiers. The connected database is not SQL Server. There is no safe way in ASP.NET running code as a specific Windows user. In these scenarios, SQL authentication, or native authentication mechanisms of the database. 4. ASP.NET Authentication Implementation 4.1 Program Characteristics In this section, only an implementation of authentication of intranet subdimonal web applications, this program assumes that the following features: Only by authenticated clients can be accessed application.

The database believes that the application has authenticated the user - that is, the application calls the database on behalf of the user. The web application is connected to the database by using the ASP.NET process account. The user's credential information is verified according to the SQL Server database. Use the form authentication mode. In a web application, the user's credential information is based on the SQL Server database, which is easy to implement user personalized design. The application represents the user's way to call the database, and the trusted subsystem model can be used to better utilize the database connection pool, and ensure that the user cannot directly access the backend database, and can reduce the backend ACL management work. 4.2 Safety Configuration Step 4.2.1 IIS Configuration Steps Enable anonymous access to the virtual root directory of the Web service. The main method is to use the IIS MMC management unit, right-click the virtual directory of the application, and then click Properties ---> Directory Security -> Anonymous Access and Security Control -> Edit. 4.2.2 ASP.NET Configuration Step 1. Reset the password (for running the ASP.NET) to a more secure password. This allows a local account (with the same username and password) to be copied on the database server. To use Windows authentication to connect to the database, you can respond to network authentication requirements from the database from the database, which is necessary. The specific method is to edit the Machine.config file located in the% windr% / microsoft.net / framework / v1.1.4322 / config directory, reconfigure the password properties on the element, and the default value is change to . 2. Configure ASP.NET to use Form authentication. Edit the web.config file under the virtual root directory of the web service, set the element to: 4.2.3 Configuring SQL Server 1. Create a Windows account that matches the ASP.NET process account on the SQL Server database. The username and password must match the ASP.NET application account. 2. Configure SQL Server to make it use Windows authentication. 3. Create a SQL Server login for a custom ASP.NET application account, grant access to SQL Server. 4. Create a new database user and map the login name as a database user. 5. Create a user-defined new database role and add a database user to the role. 6. Determine the database permissions for the database role. 4.3 Program Code 4.3.1 Authentication Event Sequence When the user who does not pass the authentication, the triggered event sequence is shown in Figure 3 when the user does not pass the authenticated user attempt to put a protected file or resource.

4.3.2 Code Realization Step 1. Built a web login form and verify the credential information provided by the user to verify the credential information according to the SQL Server database. 2. Get the list of roles from the database. Creating a Form authentication ticket Save the acquired role information in a ticket. The sample code is as follows: private void btnlogin_click (Object sender, system.eventargs e) {// Verify according to SQL Server database (Slightly). bool isAuthenticated = IsAuthenticated (txtUserName.Text, txtPassword.Text); if (isAuthenticated == true) {// get the user's role string roles = GetRoles (txtUserName.Text, txtPassword.Text); // create an authentication ticket FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket (1, // versiontxtUserName.Text, // user nameDateTime.Now, // creationDateTime.Now.AddMinutes (60), // Expirationfalse, // Persistentroles); // User datastring encryptedTicket = FormsAuthentication.Encrypt (authTicket ); // Create cookiehttpcookie authcookie = new httpcookie (formsauthentication.formet); response.cookies.add (authcookie); // Redirect the user to the initial request page. Response.Redirect (FormsAuthentication.GetRedirectURL (txtusername.text, false);}} 4. Creating an application_AuthenticateRequest event creates an iPrincipal object in the Application_AuthenticateRequest event, usually using the genericprincipal class.

5. IPrincipal object placed in the current HTTP context protected void Application_AuthenticateRequest (Object sender, EventArgs e) {// Forms to provide authentication cookiestring cookieName = FormsAuthentication.FormsCookieName; HttpCookie authCookie = Context.Request.Cookies [cookieName]; if (null == authCookie) {return;} FormsAuthenticationTicket authTicket = null; try {authTicket = FormsAuthentication.Decrypt (authCookie.Value);} catch (Exception ex) {return;} if (null == authTicket) {return;} // extract character string [] roles = authTicket.UserData.Split (new char [] { '|'}); // Create Identity objectFormsIdentity id = new FormsIdentity (authTicket); GenericPrincipal principal = new GenericPrincipal (id, roles); Context.User = Principal;} Specific code readers can supplement their own completion. 5. The following will be discussed with the content related to the authorization and security communication. Abstract: The concept of ASP.NET application authorization this article introduces various authorization modes and compared, and the mechanism for selecting authorization mode is elaborated. Keywords: Authorization ASP.NET Web Application 1.1. Authorization Concept Any Successful Application Security Policy is a solid authentication and authorization means, as well as secure communication for confidentiality and integrity of confidential data. Authorization process is responsible for controlling which resources can be accessed through a client that authenticated, and what operations can be performed. Accessible resources include both files, databases, and the like, and includes system-level resources, such as registry, configuration data, etc. Many web programs are not directly authorized to access the underlying resource, but through the method (Method) to authorize the operations that the client can perform. The main reason for this is to take into account the scalability and manageability of the application system. Figure 1 lists various security technologies and the main authority provided by each technology. 2. 2. An authorization method As shown in Figure 1, the following authorization methods are provided on the .NET framework on Windows 2000: ASP.NET Authorized Enterprise Services Authorized SQL Server Authorization 2.1 ASP.NET Authorization 2.1.1 URL Authorization This is An authorization mechanism configured by a computer settings and application profiles. The URL authorization allows the user to access a specific file and folder located in the application URI namespace. 2.1.2 File Authorization You can use this method to limit access to specified files on a web server. Access rights are determined by the Windows ACL associated with the file. 2.1.3 Principal Permissions Requests Main Permissions Request (Principal Permission Demand) can be declared or programmed as an additional accurate access control mechanism. This approach allows you to limit access to classes, methods, or separate code based on a single-user identity group member relationship. 2.1.4 .NET role .NET role is used to divide users with the same permissions in the application into a group.

This approach can be used with a ticket-based authentication scheme (such as form authentication), which can be configured to configure access to resources and operations by declaring or programming. 2.2 Enterprise Services Authorization In the Enterprise Services application, the Enterprise Services role will control the client access to the server components in the ENTERPRISE SERVICES role. These roles are different from .NET characters, and can include a Windows group account or user account. The role member relationship is defined in the COM directory and is managed by the Component Service tool. 2.3 SQL Server Authorized SQL Server supports accurate authorization, which can be applied to a separate database object. Permissions can be based on role member relationships or a separate Windows user account or group account. 3. Select Authorization Policy ASP.NET applications There are two basic permission policies: role-based authorization and resource-based authorization. 3.1 Role-based authorization to provide security protection through the caller's role member relationship. The role can divide the user group of the application into a user group with the same security privilege. The user is mapped to the role, and if a user is authorized to execute the requested operation, the application can access the resource with a fixed identifier. These identifiers are tried by their respective resource managers (such as databases and file systems). 3.23.2 Providing security protection based on resource-based resources using Windows ACLs. The application can simulate the impersonate call before accessing the resource, which enables the operating system to perform standard access checks. All access to resources is a security context using the original caller. This simulation method cannot be used in the intermediate layer connection pool of the application, thus affecting the scalability of the application. 4. Role authorization mode is the best choice for most scalability .NET web applications, using role-based authorization. The common mode is as follows: Verify the user in the front-end web application to authorize the user to use the fixed service ID to access the necessary backend resources using a fixed service ID using a fixed service ID using a fixed service ID using a fixed service ID using a fixed service ID. A typical concrete implementation steps are as follows: Create the credential information Verification credential information Adds the user to the role to create an IPRINCIPAL object to place the iPrincipal object into the current HTTP context to authorize a summary according to the user ID / role member relationship: this article ASP.NET The concept of application security introduces various security communication technology and compares. Keywords: SASL IPSec RPC ASP.NET Web Application 1. Foreword Any Successful Application Security Policy is a secure authentication and authorization means, as well as secure communication providing confidentiality and integrity of confidential data. Many applications transmit confidential data between the layers of the application: from the database to the browser, or the opposite. Examples of confidential data include detailed information, credit card numbers, and salary data. In addition, when the login credentials are transmitted on the network, the application must ensure the security of the credential information. 2. Features of secure communication 2.1. Privacy (Privacy) confidentiality is used to ensure confidentiality of data, and cannot be seen by those who may have network monitoring software. Confidentiality is usually provided by encryption. 2.2 Integrity Secure Communication Channel must ensure that data will not be intentionally or unintentionally modified during transmission. Integrity is usually provided by the Message Verification Code (Mac, Message Authentication Code).

转载请注明原文地址:https://www.9cbs.com/read-130329.html

New Post(0)