什么时候值得实施 WIF 解决方案?
我正在尝试为 Intranet 应用程序构建/构建一个安全解决方案,并且我想知道考虑到需求,实施 WIF 级别的解决方案是否值得。
本质上,我有以下几点考虑
- 一般平台是 ASP.NET MVC 3 / Windows Servers / SQL Server 2008 R2 数据库。
- 信息从提供工作流程软件解决方案的外部供应商进入我们的系统,
- 由于供应商软件仅涵盖公司典型工作流程的一部分,因此他们将以 REST 调用的形式向我们发送数据。我们的终端使用 WCF 休息调用来接收此数据。
- 作为安全性的一部分,应该为外部供应商的服务器构建 VPN 隧道。
- 来自高层的压力表明该 VPN 不够安全。此外,由于存在授权问题(某些用户不应该访问某些数据),我们应该有一些东西可以识别我们端和供应商端的用户,以确保信息来自正确的人,并拥有适当的权利做出这些改变。
- 外部供应商有自己的安全系统,但我们无法真正利用,所以我不确定我们可以采取什么措施来同步安全性。
- 我们选择的工作流程部分是通过 MVC 3 / SQL Server 处理的。
- 我们公司使用 Active Directory 进行用户管理,如果可能的话,我希望能够依靠它。理想情况下,我不想向我们的用户引入另一个密码,因为他们将拥有自己的工作登录名、外部工作流供应商登录名以及其他供应商的登录名。
- 虽然该解决方案最初将成为我现在所在公司的一部分,但它可能会推广到我们同一 Active Directory 下的其他姐妹公司。
- 虽然使用工作流解决方案仅限于 Active Directory 中的用户,但我们可能不希望向外部用户提供 Active Directory 帐户来查看 SSRS 上运行的报告。
抱歉,如果这真的很长,但我希望提供尽可能多的信息,我可以获得这个问题的最佳答案/解决方案/实践/建议。 谢谢。
I'm trying to build / architect a security solution for an intranet application and I'm wondering if implementing a WIF level solution is worth it, given the requirements.
Essentially, I have the following things that are considerations
- The general platform is ASP.NET MVC 3 / Windows Servers / SQL Server 2008 R2 database.
- Information comes into our system from an outside vendor that provides a workflow software solution
- Since the vendor software only covers part of the company's typical workflow, they'll be sending us data as a REST call. Our end uses WCF rest calls to receive this data.
- A VPN tunnel is supposed to be built to the outside vendor's servers as part of the security.
- There's pressure from the top that this VPN isn't enough security. Also, as there are authorization issues (some users shouldn't have access to some data), we should have something that identifies users on our end as well as the vendor's end to insure information is from the right person, with the proper rights to make these changes.
- The outside vendor has their own security system, but nothing we can truly tap into, so I'm not sure what, if anything, we can do to synchronize security.
- The piece of the workflow that we pick up is what is handled via MVC 3 / SQL Server.
- Our company uses Active Directory for user management, and I'd like it if I can lean on it if possible. Ideally, I'd like to not introduce Yet Another Password to our users, since they'll have their work logins, the outside workflow vendor logins, and logins to yet other vendors.
- While the solution is initially going to be part of the company I'm in now, it might roll out to other sister companies that are under our same Active Directory.
- While using the workflow solution will be limited to users in active directory, it is likely that we'd have outside users that we'd prefer not to give active directory accounts to that will view reports running on SSRS.
Sorry if this is really long, but I hope that providing as much information as possible, I can get the best answers / solutions / practices / recommendations possible for this problem.
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您希望您的解决方案能够面向未来,那么安装 WIF 是值得的。 WIF 支持声明,并且 Microsoft 正在围绕声明构建其应用程序,例如 SharePoint 2010、CRM Dynamics 2010、Office 365 和 Azure ACS 都是围绕声明、WIF 和 STS 构建的。
一旦安装了基础设施,与其他合作伙伴联合就相对容易。传统的方法是在 AD 之间建立信任,但随着您添加越来越多的公司,您会遇到 IP、Netbios 等冲突的问题。
WIF 解决了您提出的一些问题。
It's worth installing WIF if you want to future proof your solution. WIF enables claims and Microsoft is building their apps around claims e.g. SharePoint 2010, CRM Dynamics 2010, Office 365 and Azure ACS are all built around claims, WIF and STS.
Once you have the infrastructure installed, it's relatively easy to federate with other partners. The traditional way is to enable trust between AD but as you add more and more companies you run into problems with IP, Netbios etc. clashes.
WIF addresses a number of points you have raised.