• Chapter 5: Design and implement security


    Configure authentication

    • Authenticating users

      • IIS authentication

        • Anonymous
        • ASP.net impersonation
        • Basic
          transmit username/password between client/server in Base64 encoded but not encrypted.
        • Digest
          username/password are encrypted
        • Forms
          1: without using built-in windows security system
          2: use FormsAuthentication.SetAuthCookie to make authentication token available for the rest of the session.
        • Windows
          supported only in microsoft browser
          use NTLM/Kerberos
          straightforward and easy to implement, especially on intranet.
        • ASP.net impersonation authentication
          independent of authentication mode configured in Web.config file
      • System.Security.Principal.IPrincipal / System.Security.Principal.IIdentity

      • WindowsIdentity/WindowsPrincipal
      • FormsIdentity/GenericPrincipal
      • GenericIdentity/GenericPrinciapl

      use AuthorizeAttribute to enforce authentication

      • Form authentication + SimpleMembership + WebSecurity
        Windows authentication
        • use Active directory to manage users
        • all users are members of your domain
        • require users to use IE or Microsoft browser
          Form authentication
        • use standard ASP.net membership provider db schema or your own
          Custom authentication
        • create a custom provider by implementing IIdentity or IPrincipal to interact with underlying authentication mechanism
    • Manage user session by cookies

    FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(
    1,
    userName,
    DateTime.Now,
    DateTime.Now.AddDays(90),
    createPersistentCookie, // a Boolean indicating whether a cookie
    // should be created on the user's machine
    String.Join(";",rolesArr) //user's roles
    );
    // add cookie to response stream
    string encTicket = FormsAuthentication.Encrypt(authTicket);
    System.Web.HttpCookie authCookie = new System.Web.HttpCookie(FormsAuthentication.
    FormsCookieName, encTicket);
    System.Web.HttpContext.Current.Response.Cookies.Add(authCookie);
    
    • Configuring membership providers

      • use SimpleMembershipProvider/WebSecurity helper classes
    • Creating custom membership providers

      • ActiveDirectoryProvider for app use windows authentication
      • SqlMembershipProvider for form authentication

    Configure and apply authorization

    • create roles
    • configure roles
      configure a SQL membership role provider in Web.config file
      use InitializeDatabaseConnection(...) for SimpleMembershipProvider with SimpleRole.
    • Authorizing roles programmatically
      • applying Authorize attribute
      • check in code via followings
        *RoleProvider.GetRolesForUser, RoleProvider.IsUserInRole, HttpContext.User.IsInRole
        *WebSecurity.RequireRoles(...)
    • creating custom role providers
    • Implementing WCF service authorization

    Design and implement claims-based authentication across federated identity stores

    • Implementing federated authentication by using Windows Azure Access Control Service (ACS)
      ACS features includes:
      • integrates with Windows Identity Foundation (WIF)
      • support well-known identity providers such as Facebook, Microsoft account, Yahoo and Google
      • support Active Directory Federation Services (ADFS) 2.0
      • support OAuth 2.0, WS-Trust and WS-Federation protocols
      • support various token formats, include JSON Web Token (JWT), Security Assertion Markup Language (SAML) and Simple Web Token (SWT)
      • provides a web-based management portal

    ACS authentication process

    • Creating a custom security token by using WIF
    • Handling token formats for SAML and SWT tokens

    Manage data integrity

    • encryption terminology

      • Encryption: DES, AES
      • Hashing: MD5, SHA
      • Salting
    • Applying encryption to application data

      • Symmetric: AES, DES, RC2, Rijindael, TripleDES
      • Asymmetric: DSA, ECDiffieHellman, ECDsa, RSA
    using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
    {
    // assumes that the key and initialization vectors are already configured
    CryptoStream crypoStream = new CryptoStream(myManagedStream, rijndaelManaged.
    CreateEncryptor(),CryptoStreamMode.Write);
    };
    
    using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
    {
    // assumes that the key and initialization vectors are already configured
    CryptoStream crypoStream = new CryptoStream(myManagedStream, rijndaelManaged.
    CreateDecryptor(),CryptoStreamMode.Read);
    };
    
    • Applying encryption to the configuraion sections of an application

      • DPAPIProtectedConfigurationProvider
      • RsaProtectedConfigurationProvider: allow export/import of the keys used for encryption/decryption
      • use aspnet_regiis to encrypt/decrypt sections of the Web.confg file.
    • Signing application data to prevent tampering

    // create the hash code of the text to sign
    SHA1 sha = SHA1.Create();
    byte[] hashcode = sha.ComputeHash(TextToConvert);
    // use the CreateSignature method to sign the data
    DSA dsa = DSA.Create();
    byte[] signature = dsa.CreateSignature(hashcode);
    
    // create the hash code of the text to verify
    SHA1 sha = SHA1.Create();
    byte[] hashcode = sha.ComputeHash(TextToVerify);
    // use the VerifySignature method to verify the DSA signature
    DSA dsa = DSA.Create();
    bool isSignatureValid = dsa.VerifySignature(hashcode, signature);
    

    Implement a secure site with ASP.NET

    • Securing communication by applying SSL/TLS certificates
      setup site with certificate and https

    • Salt and hash passwords for storage

    • Using HTML encoding to prevent cross-site scripting attacks (AntiXSS Library)

      • use @Html.Encode()
      • encode the data before saving to db
      • use AntiXSS library from NuGet
    • Implementing deferred validation and handle unvalidated requests

    • Preventing SQL injection attacks by parameterizing queries

    • Preventing cross-site request forgeries (XSRFs)

    [RequireSession]
    [AcceptVerbs(HttpVerbs.Post)]
    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult Login(string username, string password, string remember, string deviceToken, string apid)
    {
    }
    
    @using (Html.BeginForm("Login", "Authorize"))
    {
    @Html.AntiForgeryToken();
    }
    

    internally cookie is used for XSRF validation.

    --------------------------- 知道的更多,不知道的也更多 ---------------------------
  • 相关阅读:
    springboot中filter的配置和顺序执行
    springboot整合fastdfs实现上传和下载
    移动端通过fiddler代理调试PC端代码
    react-native windows 环境搭建
    带你逐行阅读redux源码
    前端单页面拆分多个单页面
    Koa2学习(九)与mongoDB交互
    Koa2学习(八)使用session
    Koa2学习(七)使用cookie
    Koa2学习(六)使用koa-router
  • 原文地址:https://www.cnblogs.com/mryux/p/4801042.html
Copyright © 2020-2023  润新知