Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
The .NET Runtime and IIS Presented by Chris Dickey – cdickey.net consulting www.cdickey.net Topics Installing the .NET runtime The role of IIS as the application server .NET Remoting and Web Services How the .NET runtime works with IIS 5.0 Significance of the HTTP Pipeline Security Whats coming with IIS 6.0 Installing the .NET Runtime http://msdn.microsoft.com/netframework/d ownloads/default.asp Windows Update Service .NET Runtime .NET SDK + Runtime Visual Studio.NET IIS is the Application Server Static Pages ISAPI ASP ASP.NET Web Services Remoting Connection Point to SQL Server ASP.NET Web Pages What most people think of as ASP.NET Compiled web pages Huge advance over previous ASP version Lots of well known features Web Services Communication between diverse systems SOAP packets transported using HTTP and SMTP protocols Application connectivity protocol IIS is the client connection point Takes advantage of the HTTP Runtime .NET Remoting Replacement for DCOM tailored for .NET-to-.NET communications Can be hosted by ASP.NET runtime Takes advantage of the HTTP Runtime .NET compatibility and interoperability ASP.NET coexists with IIS 5.0 and ASP Runs in a separate process Doesn’t use the registry Routed through IIS ISAPI Can’t share sessions – 2 separate systems IIS 5.0 and ASP.NET Runtime HTTP Pipeline general-purpose framework for server-side HTTP programming foundation for ASP.NET pages, Web Services, Remoting HTTPModules HTTPHAndlers HTTPContext, HTTPContext.User ISAPI: HTTP_FILTER_CONTEXT ASP .NET Request Processing ASP.NET ASP.NET Page Service HTTP Handler Application HTTP Module Http Context Global.asax ASP.NET Runtime Host (IIS) Native Code .NET Code HTTP Module Configuration Files / Accounts XML configuration files – case sensitive Can be read by all authenticated users machine.config web.config machine, site, application, folder levels SYSTEM, ASPNET, IUSR_<machine>, IWAM_<machine> Demo Run .net app – HTTPHandler Show IIS 5.0 config Show aspnet_wp.exe process – only 1 *.config files Security Services ASP .NET support for authentication and authorization Extensible and customizable Authentication scheme transparency Simple deployment model Support for granular declarative and imperative authorizations Uses CLR Evidence-Based Security Supports application layer security Flow of Security Process Identity Windows® 2000: Default is ASPNET Can also run with SYSTEM account or configured account using <processModel> Windows .NET Server Uses IIS 6 process model Default is NetworkService App Pools are configurable, identity is configurable HTTP Pipeline Authentication ASP .NET is an ISAPI extension Windows Authentication (via IIS) Basic, Digest, NTLM, Kerberos, IIS Certificate Support Forms-based (Cookie) Authentication Only receives requests for mapped content Application credential verification Supports Microsoft® Passport Authentication Custom Authentication Forms-Based Auth Easy to implement ASP .NET provides redirection Steps Configure IIS to allow anonymous users (typically) Use SSL! Configure ASP .NET cookie authentication Write your login page How It Works: Forms Authentication 1. GET default.aspx HTTP/1.1 2. 302 Redirect Location: login.aspx 3. POST default.aspx HTTP/1.1 <form data containing credentials> 5. 200 OK Set-Cookie: .ASPXAUTH Auth Ticket 6. GET default.aspx HTTP/1.1 Cookie: .ASPXAUTH Auth Ticket 4. App authentication 4 IIS/ ASP.NET 1 2 3 5 6 Web Browser SQL/AD Custom Web Authentication Handle AuthenticateRequest event Application level (global.asax) or Http Module (implement IHttpModule) Scenarios: Custom SOAP authentication E.g., application defined scheme based on SOAP headers Forms authentication for mobile devices without cookies Customize forms authentication Authorization Strategies Windows Security and ACLs ACLs checked for Windows auth Independent of impersonation COM+ Roles URL Authorization Custom Authorization Windows .NET AuthZ Framework Explicit imperative/declarative checks Web Apps: Custom Roles Handle authentication event Replace HttpContext.User with custom IPrincipal or GenericPrincipal public void WindowsAuthentication_OnAuthenticate( Object src, WindowsAuthenticationEvent e) { // replace HttpContext Principal e.Context.User = new MyPrincipal(e.Identity); } Use Custom Roles Application defines roles Strategies: Define Windows/AD groups and use WindowsPrincipal Use GenericPrincipal or IPrincipal //System.Security.Principal.IPrincipal public interface IPrincipal { IIdentity {get;} bool IsInRole(string role); } Custom Web Authorization Handle AuthorizeRequest event Application level (global.asax) or Http Module (implement IHttpModule) Scenarios: Implement per-request billing system Restrict access based on business rules Restrict access based on dynamic behaviors (e.g., implement a per-day access limit, etc). Internet Information Services 6 Complete rearchitecture Kernel-mode HTTP Web server security lockdown wizard Worker process application pools IIS 6.0 Architecture IIS 6.0 Application Pools IIS 6.0 Process Recycling References MSDN Magazine - September 2002 www.WindowsWebSolutions.com Keith Brown - portals.devx.com/SummitDays/Article/6666 Tim Ewald msdn.microsoft.com/msdnmag/issues/02/09/HTTPPipeline s/default.aspx Technical Overview of IIS 6.0 www.microsoft.com/windows.netserver/techinfo/overview/ii s.mspx Windows.NET Server Devcon www.microsoft.com/misc/external/serverdevcon/