可以使用 HTTPModules 保护经典 ASP 应用程序的安全吗?
我有一个经典的 ASP 应用程序,当前使用在 IIS 6 上运行的 ASP.NET 表单身份验证进行保护,问题是我们的目的要求该应用程序使用 Entrust TruePass 实现单点登录安全模型,我相信该模型使用客户端证书。 这可以使用 ASP.NET Http 模块来实现还是必须编写 ISAPI 过滤器? 还有其他选择吗?
I have a classic ASP application currently secured using ASP.NET Forms Authentication running on IIS 6, the problem is our purposes require this application implement a Single-Signon security model using Entrust TruePass which uses Client Certificates I believe. Can this be implemented using ASP.NET Http Modules or do I have to write an ISAPI filter? Are there other options available?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
为了触发 HttpModule,您必须让 IIS 将请求发送到 aspnet_isapi.dll,然后发送到常规 asp.dll。 在大多数情况下,如果 .net 中有端点,它不会将请求传递回 IIS,但在 IIS6 中,您可以定义通配符的处理程序,请参阅这篇关于使用表单身份验证保护非 .net 内容的文章 https://web.archive.org/web/20111127051259/http ://www.15seconds.com/issue/070104.htm
所以你要做的就是创建你的模块,在 web.config 中注册并使用它来进行身份验证,只要终点不'不匹配 .net 将处理的任何内容,那么它应该让它返回 IIS 以转到 asp.dll
[上面的链接来自互联网档案馆 2011 年 11 月。文章之前位于 http://www.15seconds.com/issue/070104.htm ]
In order to fire the HttpModule you have to have IIS send the request to aspnet_isapi.dll and then the regular asp.dll. In most cases if there is an endpoint in .net it won't pass the request back to IIS but in IIS6 you can define a handler for wildcards see this article on securing non .net stuff using forms authentication https://web.archive.org/web/20111127051259/http://www.15seconds.com/issue/070104.htm
So what you would do is create your module, register in web.config and use it to do the authntication, and as long as the end point doesn't match anything .net will handle then it should let it go back to IIS to go to asp.dll
[Link above is via Internet Archive Nov 2011. Article was previously at http://www.15seconds.com/issue/070104.htm ]
首先我要声明,我对 HTTPModule 不太了解,但我认为您可以编写自己的 IHttpModule 实现来处理 TruePass。 有关详细信息,请参阅此链接:MSDN HttpModules 。
根据我的经验,在经典 ASP 和 .NET 之间来回切换的最大麻烦是处理会话信息。 .NET 无法读取存储在经典 ASP 会话变量中的内容,反之亦然。 但由于您的 FormsAuthentication 很可能使用 cookie,因此您现在有一种来回切换的方法。
我不确定其他选择。 如果您的业务需求是保留经典的 asp 代码并使用 TruePass,那么我认为您可以使其工作。
希望有帮助。
First off let me state that I don't know a whole lot about HTTPModules, but I would think you could write your own implementation of IHttpModule to handle the TruePass. See this link for more information: MSDN HttpModules.
From my experience, the biggest hassle of going back and forth between classic ASP and .NET is dealing with Session information. Something stored in a classic ASP session variable can't be read by .NET and vice versa. But since your FormsAuthentication is most likely using cookies, you have a means of going back and forth now.
I'm not sure about other options. If your business requirements are to keep the classic asp code and to use the TruePass, then I would think you could make it work.
Hope that helps.