1 / 40

ARC-411 建立企业级 web service 案例分析 : Authentication, Membership 与 Profile

ARC-411 建立企业级 web service 案例分析 : Authentication, Membership 与 Profile. 课程内容概述. 复习: ASP.NET 2.0 Membership & Profile 实际系统的要求: 作为 Service 而不是 ASP.NET 网站(没有 HTTP Context) Scalability: 不仅要再 web service 层,而且要在数据库层 数据模型 : profile 数据 for data mining 支持现有的用户:

tuckerrobert
Download Presentation

ARC-411 建立企业级 web service 案例分析 : Authentication, Membership 与 Profile

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ARC-411建立企业级web service案例分析: Authentication, Membership 与Profile

  2. 课程内容概述 • 复习:ASP.NET 2.0 Membership & Profile • 实际系统的要求: • 作为Service而不是ASP.NET网站(没有HTTP Context) • Scalability: 不仅要再web service层,而且要在数据库层 • 数据模型: profile 数据for data mining • 支持现有的用户: • Mobile user support: consistent across PC users • 安全性: web service and database • 设计与实施

  3. 实际要求: Interoperability & Functionality • 必须是一 stateless web service, 不需客户应用系统地HTTP Context. • 支持各种平台上的应用(.NET Framework 1.1, 2.0, J2EE) • 功能: • 登陆,核实email • User authentication • Membership management (password change, password reset) • Profile: Update and retrieval • Profile management • User favorites and preferences

  4. 实际要求 (Functional Requirements)

  5. 实际要求: Scalability • 不仅要再web service层,而且要在数据库层 • 用户数据必须partitioned horizontally

  6. 实际要求: scalability at web service层与数据库层

  7. 实际要求: 数据模型 • Membership and profile data must be available as relational data for data mining: • A single-valued user attribute (such as zip, email, name, etc) will have its own column; • A multi-valued user attribute (such as favorites) will be in a separate table.

  8. 实际要求: 支持现有的用户 • 现有的用户仍然能够用现有的passwords logins. • 现有的 passwords are non-retrievable (only its hash is stored); • 现有的 passwords have been encoded differently, salted differently, hashed differently. • Hash过程:string -> encoding -> byte[] -> salt -> hash(byte[]) -> base64string (CryptographyAPI.HashPassword_Aspnet20) • 现有的用户能够change or reset passwords. • Password change or reset之后, password hash 将沿用新的标准.

  9. 实际要求: 支持手机用户 • 手机用户与PC用户有不同的registration (见下页的图)。 • 手机用户与PC用户的registration没有一固定顺序。 • 为提供统一的用户体验,两种registration必须能够合二为一。但是,这一合并必须由用户来启动。

  10. 实际要求: 支持手机用户-不同的registration

  11. 设计决策(Design Decision)

  12. 比较:实际要求与ASP.NET 2.0 Membership & Profile

  13. 设计选择: Custom Providers 或ASP.NET 2.0 Providers

  14. 设计

  15. 设计: MAP (Membership, Authentication and Profile) web service Security (WSE 2.0 SP 3/WSE 3.0) (Authentication, Authorization, Encryption, Message signing) MAP web service MAP API User Profile Schema Logging ASP.NET 2.0 Membership and Profile API .NET Framework Configuration API SQL Server (MAP Database) SQL Server (MAP Database) SQL Server (MAP Database) ……

  16. 设计: Scalability - 多个 Membership Providers and Profile Providers Web Server Hosting MAP Web Service Web Server Hosting MAP Web Service Web Server Hosting MAP Web Service Web Server Hosting MAP Web Service Provider selector Each web server hosting MAP web service will have multiple membership providers and profile providers, each dedicated to a database server. Membership Provider 1 Membership Provider 2 Membership Provider 3 Profile Provider 1 Profile Provider 2 Profile Provider 3 Membership/ Profile DB for User (T-Z) Membership/ Profile DB for User (K-S) Membership/ Profile DB for User (A-J)

  17. 设计: Scalability: A provider-centric approach Login Register Password reset User Name Determine Provider # of providers and rules: Configured in web.config Provider Name Provider-Centric API (WebMethods)

  18. 在Profile Setter/Getter中所用到的.NET Framework 2.0 API

  19. 设计:安全性 2 Security Surfaces: Security – the key is to follow standard instead of home grown/custom/ad hoc approaches: Secured access to web service Secured access to databases

  20. Security Design Patterns Platform independent design patterns focusing on critical aspects of Web service security. • Authentication Patterns • Direct authentication • Using: SQL, ADAM, Kerberos • Brokered authentication • Kerberos, X.509, Security Token Service (SAML) • Message Protection Patterns • Data confidentiality • Data origin authentication and integrity • Resource Access Patterns • Protocol transition and constrained delegation • Trusted subsystem • Boundary Defense Patterns • Message replay detection • Message validation • Exception shielding • Secure Deployment Patterns • Perimeter service router

  21. DESIGN: Aspects of message level security

  22. 设计: Resource Access的安全性(从Web Service到数据库) Trust boundary Web / App Server SQL Server Single trusted service identity

  23. 设计: 如何得到关系型Profile数据模型? • 假设: 用SQL Server 2005 for data mining and reporting; • 如何得到关系型Profile数据模型? • Wrap profile attributes in a single profile property, serializeAs=“xml” (see below); • PropertyValuesString column contains well-formatted XML documents, instead of a custom-formatted string blob; • PropertyValuesString column becomes a xml data type in SQL Server 2005, either typed or un-typed;

  24. 用户profile作为XML (PropertyValuesString 列)

  25. 用户profile做为XML列

  26. 设计: Profile数据模型-relational vs XML • 长时间以来 • Storage: Relational data tables • Definition: Data model • Query: SQL • Storage: XML documents or XML fragments • Definition: XML schema • Query: XPath Relational Database XML file/stream/string Class Xml Serializer DOM XPath

  27. 设计: Profile数据模型-relational vs XML • 数据库技术的进展 • Storage: Relational data tables • Definition: Data model • Query: SQL • Storage: XML documents or XML fragments • Definition: XML schema • Query: XPath Relational Database XML file/stream/string XQuery • Standard: W3C (http://www.w3.org/TR/xquery/ ) • Implementations: • Microsoft SQL Server 2005, • IBM DB2 9.0, • Oracle 10g

  28. 数据库类型, XQuery的支持,今后的发展

  29. 设计: Profile数据模型

  30. 用户 profile 作为表(table) in PropertyValuesString column

  31. XQuery against MAPDB1_xml

  32. 设计:现有用户的支持 • 难点: • User passwords are non-retrievable • Hash过程:string -> encoding -> byte[] -> salt -> hash(byte[]) -> base64string (CryptographyAPI.HashPassword_Aspnet20) • 不同的user passwords encoding, salt and hash: SHA1 is preferable because it produces a larger hash and is considered cryptographically stronger than MD5

  33. 背景信息: 为什麽要用salt? • Dictionary attack: pre-compute hashes of a list of possible passwords and perform queries on password hash • Without salt: • Total # of hashes = [# words] * 1 • Total # of SELECT queries = [# words] * 1 • With salt: • Total # of hashes = [# words] * [# of users] • Total # of SELECT queries = [# words] * [# of users]

  34. <?xml version="1.0" encoding="UTF-8" ?> -<Jive xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.jivesoftware.com/products/forums/jiveforums.xsd" xmlversion="4.0" exportDate="2006/06/13 12:35:35.254 PDT"> -<UserList> -<User id="700000000"> <Username>lwbernard</Username> <Password>936e3bc0c93d56a2eb069e334c5303ac</Password> <Email visible="false">bernard@liveworld.com</Email> <Name visible="false">Bernard Bernstein</Name> <CreationDate>2006/01/26 11:00:31.588 PST</CreationDate> <ModifiedDate>2006/05/12 10:57:12.638 PDT</ModifiedDate> -<PropertyList> <Propertyname="profileVisibility" value="all" /> <Propertyname="watch.mode" value="2" /> <Propertyname="Location" value="test location" /> <Propertyname="jive.passwordreset.last_sent" value="1143572162268" /> <Propertyname="jiveThreadRange" value="10" /> <Propertyname="imageApproved" value="false" /> <Propertyname="Biography" value="This is my biography" /> <Propertyname="Occupation" value="test occupation" /> <Propertyname="jiveOccupation" value="test occupation" /> <Propertyname="jiveLocation" value="test location" /> <Propertyname="jiveMessageRange" value="10" /> <Propertyname="jiveBiography" value="This is my biography" /> <Propertyname="jiveAdminGroupRange" value="15" /> <Propertyname="messageSortOrder" value="revChron" /> <Propertyname="emailMode" value="hide" /> <Propertyname="lastIP" value="172.16.247.178" /> <Propertyname="jiveThreadMode" value="flat" /> <Propertyname="profile-updated" value="200605311118" /> <Propertyname="jive.passwordreset.token" value="pES4GAt8" /> <Propertyname="curIP" value="70.20.21.178" /> <Propertyname="Homepage" value="test homepage" /> <Propertyname="profileApproved" value="false" /> <Propertyname="user-blog-updated" value="200605311118" /> <Propertyname="jiveTimeZoneID" value="America/New_York" /> <Propertyname="show" value="true" /> <Propertyname="jiveLocale" value="en_US" /> <Propertyname="jiveSignatureVisible" value="false" /> <Propertyname="jiveHomepage" value="test homepage" /> <Propertyname="jive.passwordreset.timestamp" value="1143572162268" /> <Propertyname="emailOnPM" value="true" /> <Propertyname="blogForumID" value="700000007,700000046" /> </PropertyList> </User> 步骤: Create user membership with dummy password Set password directly to hashed password Parse profile data and create user profile NOTES: For performance and handling large file size, do not use XmlDocument to read and parse the whole XML file. Instead, use StreamReader and XmlReader to read node by node. 如何输入现有的用户 Membership and Profile数据?

  35. Console app to load migrated user data

  36. 设计:支持现有的用户 • 难点: • 手机用户与PC用户有不同的registration。 • 手机用户与PC用户的registration没有一固定顺序。 • We cannot force consolidation (PC user may not have mobile account, or mobile user may not have PC account). • 目的: 提供一统一的用户体验。 • 方案:合并过程由用户来启动。

  37. 总结: • 作为Service而不是ASP.NET网站(没有HTTP Context) • Scalability: 不仅要再web service层,而且要在数据库层 • 数据模型: profile 数据for data mining • 支持现有的用户: • Mobile user support: consistent across PC users • 安全性: web service and database

  38. Resources • Web Services & Other Distributed Technologies Developer Center(msdn.microsoft.com/webservices/building/wse) • Video presentations by WSE Team • Hands on Labs for Messaging and Security • Articles on WSE 3.0 • WSE 3.0 Security: Interoperability Considerations • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wss_appx_interopcons_wse30.asp • Introduction to Building Windows Communication Foundation Services, Clemens Vasters, MSDN Online: http://msdn.microsoft.com/webservices/indigo/default.aspx?pull=/library/en-us/dnlong/html/introtowcf.asp

  39. APPENDIX: SecurityWS connecting to SQL using Trusted Subsystem Model • To use Network Service account: • In SQL Server, add SQL Login/DB User: domain\webmachinename$ (an existing internal account) • To use custom service account in ASP.NET 2.0 (for mirrored service account): • Create local or domain account • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis –ga domain\acct • Create and use custom AppPool • Gotchas: • Make sure World Wide Web Publishing service is started. • Restart World Wide Web Publishing service after change of AppPool to avoid “Mutex cannot be created” error. • Grant custom service account Read/Write access to C:\Windows\Temp\

  40. 问答

More Related