The second Internet Guide: Framework, generally did not result from the logical framework is divided into that layer, business logic and data visiting layer; client process to visit the actual use of resources, their authentication and authorization is bound to span multiple levels. This article discuss the practical application of procedures SP.NET application resources application security model visit 2. Resources WEB visiting the practical application of identification procedures of foreign assistance to the client's typical resources include: Web server resources, such as Web pages, Web services, and static resources (static Web pages and images). Database resources, such as the text for ...: Summary: This paper describes. NET WEB application of the practical application of procedures for application of the model species, compare their advantages and disadvantages of proposed selection mechanism.
KEYexpress: the trusted security model sub-model to imitate / ASP.NET application sub-model commissioned by the practical application of WEB application
1. Introduction
ASP.NET WEB Application Application is the practical application of procedures are usually multi-system framework, the general did not result from the logical framework is divided into that layer, business logic and data visiting layer; client process to visit the actual use of resources, their authentication and authorization necessarily span multiple levels. This article discuss the practical application of procedures SP.NET application application security model resource visit
2. Resources visiting logo
WEB practical use of foreign assistance program to the client's typical resources include:
Web resources such as Web pages, Web services, and static resources (static web pages and images).
Resources, such as the data for each user or the practical application of program-level data.
Internet resources, such as remote document resource.
Resources, such as, the event log and configuration documentation.
Resources, such as the data for each user or the practical application of program-level data.
Internet resources, such as remote document resource.
Resources, such as, the event log and configuration documentation.
The practical application of procedures across the client layer to visit this part of the resources, to have a logo through all layers. That the identity of visitors to resources, including:
Original identity of the caller identity of the caller is the original and subsequent access through each layer.
Process of identification of local resources is the application of visits and calls the downstream stop the current process ID. The feasibility of this approach relies on to cross the border, as the process identity must be the purpose of system identification. This needs to stop calling the following two methods:
Process of identification of local resources is the application of visits and calls the downstream stop the current process ID. The feasibility of this approach relies on to cross the border, as the process identity must be the purpose of system identification. This needs to stop calling the following two methods:
Interface with one win in the security domain
Cross-win interface security domain - application and domain trust accounts, or there is no link to the application of trust duplicate user name and password.
This method applies a service account the (fixed) service account. For example, the database's visit, the service account is estimated that by connecting to the database components that a regular SQL database user name and password.
When the demand for fixed win the interface ID should be the actual application of Enterprise Services server application program.
Custom logo does not win the interface when the account is available, the application did not score there Iprincipal and Iidentity construct their own identity, no results contain detailed information about the security context.
This method applies a service account the (fixed) service account. For example, the database's visit, the service account is estimated that by connecting to the database components that a regular SQL database user name and password.
When the demand for fixed win the interface ID should be the actual application of Enterprise Services server application program.
Custom logo does not win the interface when the account is available, the application did not score there Iprincipal and Iidentity construct their own identity, no results contain detailed information about the security context.
3. Resource visiting model
3.1 The trusted subsystem model
Figure 1 shows, in this model, the original caller's security context does not flow through the operating system level services, but application service layer in the middle of a fixed identity to visiting the downstream services and resources. Trusted subsystem model gets its name from the fact that a: the downstream services (estimated to be a database) Trust upstream services that allow the caller to stop authorization. The example in Figure 1, the database layer on the caller trust the authority to stop and allow only authorized caller ID visit the database of trusted applications.
3.1.1 Resource visiting model
In the trusted subsystem model, the resource visit the following pattern:
Authentication of users to stop the user mapping for the role authorization based on role membership to contact to stop applying a fixed trusted identity downstream resources visit
3.1.2 fixed identity
Together resources for visiting the control device downstream system of fixed identity, no results application process identity, application did not score a pre-set win interface account - service account to help. For the SQL database server resource control device, which means win on the SQL database server interface authentication.
Usually used when the application process ASP.NET application identity application process identity (ASPNET account for tacit knowledge). The actual practical application, we often need to change the ASPNET account to a more secure password, and the SQL database server MIRROR create an ASP.NET application with the account application process that matches the account interface on the match win. Specific tips are as follows:
Edit in% windr% / Microsoft.NET application application / Framework/v1.1.4322/CONFIG Machine.config under the list of documents, willelement to reconfigure the password attribute, its default value to ; or through ASPNET_setreg.exe props, the user name and password saved to the registry, configure the following: < !-enable = "true" UserName = "Registry: HKLM / SOFTWARE / YourAPP / processsModel / ASPNET_SETREG, userName" passexpress = "Registry: HKLM / SOFTWARE / YourAPP / processsModel / ASPNET_SETREG, passexpress" ->
Another part of the application of the practical application of procedures specified SQL database account (char string in the connection name and password specified by the user) to visit SQL database server. In this case, the database must be configured for SQL database authentication. Saved in the configuration file needs the connection string encryption char.
3.2 Imitation / delegation model
Shown in Figure 2, the application copy / delegation model, a service or component (usually located in the business service layer logic) in the visit prior to the next downstream services, the application operating system copy function to mimic the client identity. If the service is on the same computer, the application of imitation is sufficient, if the downstream service is located on a remote computer applications also demand commission, the security context of the downstream resource is visiting the client's context.
3.3 Select resources to visit Model
Trial of two resources, such as visiting the model shown in Table I.
Trusted subsystem model to imitate / delegation model
The upper back-end services, trust audit function, if the infringement of the middle layer, the back-end resources vulnerable. Back-end service performance for each caller did not stop the authentication, authorization, security is good.
Scalability to support connection pooling, better scalability. Does not support connection pooling, scalability poor.
Control of the back-end ACL ACL configuration for a single entity to stop, control workers less.Each user must be granted the appropriate visit level, back-end resources and the number of users increases, the control of workers cumbersome.
Difficulties do not delegate the performance. Demand for commission. Most of the security services to help does not support delegates.
In most practical use of Internet programs and the practical application of a large intranet application process will be trusted subsystem model, mainly because this model can support scalability. Imitation / delegation model for small systems tend to. For this part of the practical application of procedures, scalability is not that the main planning factors, the main factor is the audit plan.