高级PPT模版2.pptVIP

ASP.NET Security Erik Olson Program Manager .Net Framework Team Agenda Overview Authentication Authorization Role-Based Security Evidence-Based Security Questions? Role-Based Services ASP.NET support for authentication and authorization Extensible and customizable Authentication scheme transparency Simple deployment model Web applications can use/extend role-based security services Support for granular declarative imperative authorizations Evidence-Based Services Evidence-based security model Designed to support mobile code, componentized, and server applications Code-based authorizations Fine-grained control over resources Supplements but does not replace traditional user-oriented OS security System protected from hostile apps, but can still let apps do useful work Run-time Security Behavior constrained by least trustworthy component. Dynamic authorization assessment App-defined Security Industry standard signature, key exchange, and symmetric encryption algorithms W3C XML Digital Signature support now, active in XML Encryption WG Remoting hooks Can perform custom processing on serialized remote object calls/responses (i.e., SOAP) ASP.NET Compilation IIS 5 Process Model IIS 6 Process Model (native) Process Identity Win2K: Default is System Can also run with ASPNET account or configured account (please do this!) Whistler with IIS 6 in native mode Process identity is inherited from IIS worker process Whistler Beta 2 Default is System, move to NetworkService planned Request Identity Impersonation is optional Beware asynchrony and impersonation Async completions serviced with process identity unless explicitly managed Checking Thread Identity ASP Compatibility Mode Only on pages marked as such Exposes COM compatible intrinsics Page is run on a COM+ managed STA thread Server.CreateObject or object runat=server requires this mode for STA components Use Activator.CreateInstance for STA components on MTA threads Configuration Lockdown Lockdown of configuratio