ASP.NET Application Security Program (2) - Authorization
Abstract: The concept of ASP.NET application authorization this article introduces various authorization modes and compared, and the mechanism for selecting authorization mode is elaborated.
Keywords: Authorization ASP.NET web application
1.1. Authorization Concept Any Successful Application Safety Policy is based on a solid authentication and authorization means, as well as secure communication for confidentiality and integrity of confidential data.
Authorization process is responsible for controlling which resources can be accessed through a client that authenticated, and what operations can be performed. Accessible resources include both files, databases, and the like, and includes system-level resources, such as registry, configuration data, etc.
Many web programs are not directly authorized to access the underlying resource, but through the method (Method) to authorize the operations that the client can perform. The main reason for this is to take into account the scalability and manageability of the application system. Figure 1 lists various security technologies and the main authority provided by each technology.
2. 2. The authorization method is shown in Figure 1, and there are several authorization methods on the .NET framework on Windows 2000:
ASP.NET Authorized Enterprise Services Authorization SQL Server Authorization
2.1 ASP.NET Authorization
2.1.1 URL Authorization This is an authorization mechanism configured by a computer settings and application configuration files. The URL authorization allows the user to access a specific file and folder located in the application URI namespace.
2.1.2 File Authorization You can use this method to limit access to specified files on a web server. Access rights are determined by the Windows ACL associated with the file.
2.1.3 Principal Permissions Requests Main Permissions Request (Principal Permission Demand) can be declared or programmed as an additional accurate access control mechanism. This approach allows you to limit access to classes, methods, or separate code based on a single-user identity group member relationship.
2.1.4 .NET role .NET role is used to divide users with the same permissions in the application into a group. This approach can be used with a ticket-based authentication scheme (such as form authentication), which can be configured to configure access to resources and operations by declaring or programming.
2.2 Enterprise Services Authorization In the Enterprise Services application, the Enterprise Services role will control the client access to the server components. These roles are different from .NET characters, and can include a Windows group account or user account. The role member relationship is defined in the COM directory and is managed by the Component Service tool.
2.3 SQL Server Authorized SQL Server supports accurate authorization, which can be applied to a separate database object. Permissions can be based on role member relationships or a separate Windows user account or group account.
3. Select Authorization Policy ASP.NET applications There are two basic permission policies: role-based authorization and resource-based authorization.
3.1 Role-based authorization to provide security protection through the caller's role member relationship. The role can divide the user group of the application into a user group with the same security privilege. The user is mapped to the role, and if a user is authorized to execute the requested operation, the application can access the resource with a fixed identifier. These identifiers are tried by their respective resource managers (such as databases and file systems).
3.23.2 Providing security protection based on resource-based resources using Windows ACLs. The application can simulate the impersonate call before accessing the resource, which enables the operating system to perform standard access checks. All access to resources is a security context using the original caller. This simulation method cannot be used in the intermediate layer connection pool of the application, thus affecting the scalability of the application. 4. Role authorization mode is the best choice for most scalability .NET web applications, using role-based authorization. The common mode is as follows:
Verify the user in the front-end Web application to authorize the user to use the fixed service ID to access the necessary backend resources using a fixed service ID using a fixed service ID using a fixed service ID using a fixed service ID using a fixed service identity to the role. A typical concrete implementation steps are as follows ::
Gets the credential information verification credential information to create an iPrIncipal object in the role to the role to place the iPrincipal object to the current HTTP context to authorize the code according to the user ID / role member relationship.
ASP.NET application security scheme (1) - Authentication.