Internet Security
| for RuBoard |
You can use the Internet Protocol Security (IPSec) to restrict access to your computer to certain IP addresses. Of course, you need to know the IP addresses of your clients. The advantage is that you do not have to change your client application, ASP.NET code, or Web Service code to use it. This is impractical for public Web sites or services where you do not know who your clients are.
Internet Information Server
While the focus of this chapter is .NET security, some knowledge of IIS Security is important. Since both Web Services and ASP.NET use IIS, your IIS settings do affect .NET security.
In the previous chapters on ASP.NET and Web Services, we have used the default settings of Anonymous access. Anonymous access does not require a user name or password to access an account. You run under some default user account. Anonymous access is useful for public Web sites and services that do their own authentication by asking for a user name or password or by some other means. In such a scenario you could use ASP.NET forms-based authentication. You can build forms to get the user name and password and then validate them against a configuration file or database.
Internet Information Services supports the major HTTP authentication schemes. These schemes require you to configure IIS appropriately. These schemes are listed in Table 12-1. In each of these scenarios IIS authenticates the user if the credentials match an existing user account. Secure Sockets Layer (SSL) is used whenever you need to encrypt the HTTP communication channel. SSL can degrade performance. We do not discuss SSL in this chapter.
Table 12-1. llS Authentication Schemes
| Scheme | Type of Authentication |
|---|---|
| Basic | User and password information is effectively sent as plain text. This is standard HTTP authentication and is not secure. |
| Basic over SSL | Basic authentication, but the communication channel is encoded, so that the user name and password are protected. |
| Digest | Uses secure hashing to transmit user name and password. This is not a completely secure method because the hash codes stored on the server are reversible. [4] It was introduced in HTTP 1.1 to replace Basic authentication. |
| Windows Integrated Security | Traditional Windows security using NTLM or Kerberos protocols. IIS authenticates if credentials match a user account. Cannot be used across proxies and firewalls. NTLM is the legacy Windows security protocol. |
| Certificates over SSL | Client obtains a certificate that is mapped to a user account. |
[4] See the discussion of hash codes in Chapter 7. A message digest is another name for the result of applying a hash code to a message.
You will also have to adjust access to the necessary files (graphics, data store files, etc.) and other resources (i.e., databases) to those user accounts (authorization). For public Web sites and Web services this approach is not useful because users will not have user accounts.
Microsoft has introduced the Passport authentication scheme. While ASP.NET does have support for Passport ( System.Web.Security. PassportIdentity class) on the server side, as of this writing developer tools to handle the client side for Passport authentication do not yet exist. Passport avoids the problem of requiring specific accounts on specific machines. We will not discuss Passport in this chapter.
The security specification for SOAP is being worked on by the W3C. You could create your own custom authentication using SOAP messages. Since XML is transmitted as text, you want to run using Secure Sockets Layer to encrypt the messages ( especially if you use tags such as <user> and <password>. In general, secure data has to be encrypted when using SOAP.
| for RuBoard |
EAN: 2147483647
Pages: 158