我使用.NET框架,Windows身份验证,ASP.NET模拟和SQL Server行级安全性成功实现了以下方案。这个问题我的目标是确定如何将其迁移到.NET 6。
当前流动的应用程序代表Windows用户启动查询。该应用程序冒充Windows用户并将请求发送到SQL Server。然后,SQL Server根据基础访问谓词过滤数据,并仅返回该用户的相对数据。
示例如下:
用户表
| 用户 |
名名称 |
乡村 |
| 域\ tjones |
tom tom tom |
Mexico |
| domain \ tjones |
tom tom jones |
canada |
| \ rmartin |
martin |
中国 |
| 域名 |
robert |
tom |
| domain |
jones |
tom |
tom 表
| 国家 |
月 |
总计 |
| 墨西哥 |
1 |
220.00 |
| 墨西哥 |
2 |
1500.00 |
| 加拿大 |
1 |
1800.00 |
| 加拿大 |
2 |
920.00 |
| 中国 |
1 |
120.00 |
| 中国 |
1 |
2210 |
| .00日本 |
2 |
4230 |
| .00日本 |
2 |
306.00 |
select a select * select * from Money
·琼斯
| 月 |
总计 |
墨西哥 |
| 1 |
220.00 |
墨西哥 |
| 2 |
1500.00 |
加拿大 |
| 1 |
1800.00 |
加拿大 |
| 2 |
920.00 |
|
罗伯特·马丁(Robert
| |
) |
Martin |
| 汤姆 |
程序的 |
国家 |
| 基于正在访问该应用 |
2 |
2210. |
| 00日本 |
1 |
4230 |
| .00日本 |
2 |
306.00 |
sue brown
| strong |
/ strong |
|
| 加拿大 |
1 |
1800.00 |
| < |
2 |
920.00 |
此时,我们打算迁移到.NET 6,我正在重新评估我们以自ASP.NET以来实施安全性的方法不能实施模仿:
https://lealen.microsoft.com/en-us/aspnet/core/security/security/authentication/windowsauth?view= asspnetcore-6.0&amp.amp; tabs=visual-stabs=visual-studio-studiostudio#impsersonation
ASP.NET Core不会实施模仿。应用使用应用程序池或进程身份,使用应用程序的所有请求的应用程序的身份运行。
实施.NET 6 API项目的授权的最佳方法是什么,其中用户通过Windows身份验证对用户进行身份验证,然后根据将用户名分配给的角色(在此示例中)的角色(country)授权?现在,该应用程序不是使用RLS,而是通过将其Windows身份验证与授权表匹配,而不是根据用户的授权进行过滤。
快速点要突出显示:
- 这仅是Intranet应用程序。铁包层安全不是主要问题。
- Windows身份验证很重要。用户每次输入时都不会登录。
- 易于使用员工是重中之重。
谢谢您的建议。
I have implemented the below scenario successfully using .NET Framework, Windows Authentication, ASP.NET Impersonation, and SQL Server Row-Level Security. My goal with this question is to determine how to migrate this to .NET 6.
The current flow has the application initiating a query on behalf of the windows user. The application impersonates the windows user and sends the request to SQL Server. SQL Server then filters the data based on an underlying access predicate, and returns only the relative data for that user.
Example as follows:
UserAccess Table
| username |
name |
country |
| domain\TJones |
Tom Jones |
Mexico |
| domain\TJones |
Tom Jones |
Canada |
| domain\RMartin |
Robert Martin |
China |
| domain\RMartin |
Robert Martin |
Japan |
| domain\SBrown |
Sue Brown |
Canada |
Money Table
| country |
month |
total |
| Mexico |
1 |
220.00 |
| Mexico |
2 |
1500.00 |
| Canada |
1 |
1800.00 |
| Canada |
2 |
920.00 |
| China |
1 |
120.00 |
| China |
2 |
2210.00 |
| Japan |
1 |
4230.00 |
| Japan |
2 |
306.00 |
The results for a SELECT * FROM Money statement will vary based on the user who is accessing the application:
Tom Jones
| country |
month |
total |
| Mexico |
1 |
220.00 |
| Mexico |
2 |
1500.00 |
| Canada |
1 |
1800.00 |
| Canada |
2 |
920.00 |
Robert Martin
| country |
month |
total |
| China |
1 |
120.00 |
| China |
2 |
2210.00 |
| Japan |
1 |
4230.00 |
| Japan |
2 |
306.00 |
Sue Brown
| country |
month |
total |
| Canada |
1 |
1800.00 |
| Canada |
2 |
920.00 |
At this point we intend to migrate to .NET 6, I am reassessing our methodology for implementing security since ASP.NET does not implement impersonation:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-6.0&tabs=visual-studio#impersonation
ASP.NET Core doesn't implement impersonation. Apps run with the app's identity for all requests, using app pool or process identity.
What is the best way to implement Authorization for a .NET 6 API project where a user is authenticated with Windows Authentication, and then authorized based on what roles (country in this example) their username is assigned to? Now, rather than using RLS, the application would receive all the data but filter based on a user's authorization by matching their Windows Authentication to an authorization table.
A few quick points to highlight:
- This is an intranet application only. Iron clad security is not the primary concern.
- Windows Authentication is important. Users are not going to want to login each time they enter.
- Ease of use for employees is top priority.
Thank you for the suggestions.
发布评论