ASP.NET MVC 中的客户端 PC 身份验证(需要建议)
我有一些身份验证场景,我不确定如何处理。我将不胜感激有关该主题的任何建议。
要求:
- 网站将包含一个部分 仅可用于 特定的计算机。
- 网站需要知道哪台电脑当前正在发出请求(我需要能够将这台电脑与数据库中的其他表联系起来)
- 我们对将访问网站的电脑拥有完全访问权限
- 网站不能要求登录,用户应该只看到内容 解决方案
- 需要安全,因为它必须通过安全审核
- 假设每台 PC 位于不同的网络上。
到目前为止我的想法:
- 使用客户端证书,但我 不确定是否可以发出 每个客户有不同的证书?如果 答案是“你不知道谁是谁” 提出请求'而不是失败 要求编号 2,因此是 不是一个选择。
- 视窗 身份验证与模拟所以 我可以让不同的用户登录 在 PC 上(我可以控制将会发生的事情) 登录的用户名/帐户 机)
- 基本身份验证并设置 PC 首次记住用户名/密码。我有点担心这个“记住我”会过期,这会导致大混乱,因为有人必须再次设置这台电脑......
- Windows Identity 基金会 - 从未尝试过,但如果可以的话 在某些地方实现这个场景 好方法,如果可以的话我很感激 为我指明正确的方向。
预先感谢您的帮助。
编辑:
如果可能的话,我不想使用 SSL...(性能考虑)
EDIT2:
目前我认为最好的选择是检查 PC 是否经过身份验证(是否包含表单身份验证 cookie),如果没有,则将其重定向到某个 https:// 页面,该页面将检查客户端证书,如果证书存在则设置 cookie,重定向回目标页面。
这应该不会很慢,因为只有在 cookie 过期的极少数情况下才会使用 SSL。
如果您发现此解决方案有任何缺陷,请告诉我。
如果您知道如何创建服务器证书并随后从中生成不同的客户端证书,我将不胜感激。
I've have some authentication scenario that I'm not sure how to approach. I'll appreciate any advice on the subject.
Requirement:
- Website will contain one section
that will be only available to
specific computers. - Website needs to be aware which PC is currently making request (I need to be able to tie this PC to other tables in Database)
- We have full access to PCs that will be accessing website
- Website cannot require login, user should be just presented with content pages without need for logging in.
- Solution needs to be secure since, it will have to pass security audit
- Assume that every PC is on different network.
My ideas so far:
- use client certificates but I'm
not sure whether you can issue
different certificate per client? If
the answer is 'you don't know who is
making the request' than it's failing
requirement number 2 and therefore is
not an option. - Windows
Authentication with impersonation so
I can have different users logged in
on PC (I'm in control what will be
the user name/account logged in on
the machine) - Basic Authentication and set PC to remember username/password first time. I'm a bit afraid that this "remember me" can expire which would cause big chaos since someone would have to setup this PC(s) again...
- Windows Identity
Foundation - never tried but if I can
implement this scenario here in some
nice way I appreciate if you can
point me in the right direction.
Thanks in advance for your help.
EDIT:
I would prefer not to use SSL if possible... (performance consideration)
EDIT2:
Currently I think that the best option would be to check whether PC is authenticated (whether it contains Forms Authentication cookie) and if it is not then redirect him to some https:// page that will check client certificate, set cookie if cert exists and redirect back to target page.
This shouldn't be slow since SSL will be used only in rare cases when cookie expires.
Please let me know if you see any flaws in this solution.
If you know how to create server certificate and later generate different client certificates from it I would be grateful for guidelines.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论