作者 主題: .net Security -寫出更安全的程式碼 研討會後整理分享  (閱讀 5943 次)

0 會員 與 1 訪客 正在閱讀本文。

小徒兒

  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
講師: 蔡捷雲

*** 關於 .net framework 內建permission
 http://msdn2.microsoft.com/en-us/library/h846e9b3.aspx

*** Security Policy 的定義檔
http://msdn2.microsoft.com/en-us/library/ms229703.aspx

*** 設定Security Policy 的工具 console-based  caspol.exe
http://msdn2.microsoft.com/en-us/library/yfz2s7ya.aspx

*** 設定Security Policy 的工具 mmi-based .net framework 組態
http://msdn2.microsoft.com/zh-tw/library/2bc0cxhc.aspx

**** Security Tool
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconsecuritypolicymanagement.asp

*** 命令列編譯c#欓
http://msdn2.microsoft.com/en-us/library/78f4aasd.aspx
------ csc /target:library /out:Something.xyz *.cs

*** compile 某個檔當他reference到某個dll
http://msdn2.microsoft.com/en-us/library/64yxa344.aspx
/r:  References an external assembly (EXE or DLL)
csc /r:System.dll /d:TRACE /d:DEBUG=FALSE MyApplication.cs

*** System.Web.Security 引用此dll檔,將使用者加密後帳號密碼寫入cookie中,asp.net
http://msdn2.microsoft.com/en-us/library/system.web.security.aspx
http://phorum.study-area.org/viewtopic.php?t=36531&highlight=using+system+security
objEncrypt = new pEncryption.clsEncryptionClass();
txtUserID.Text = objEncrypt.DecryptWithALP(ref inPara1);
txtPassword.Text = objEncrypt.DecryptWithALP(ref inPara2);

***system.security.permission 問有沒有權限 Demand
http://www.dotnet247.com/247reference/msgs/32/162678.aspx


***允許程式略過權限系統  Assert
***當某種情況發生時,可以直接拒絕請求   Deny
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurity.asp
http://msdn2.microsoft.com/en-us/library/system.security.permissions.securitypermission_methods.aspx


***設定共享權限 不給設安全性
http://dorm.thu.edu.tw/surf/set/neighbor/index.htm
控制台-->系統管理工具-->本機安全性原則-->安全性設定 -->本機原則-安全性選項-->
網路存取:共用和安全性模式用於本機,改成「傳統 - 本機使用者以自身身分驗證」


***使用win32 api 得到現在log in user account
http://msdn2.microsoft.com/zh-tw/library/w070t6ka.aspx
Dim windowsIdentity As New WindowsIdentity(logonToken)
windowsIdentity.GetCurrent().Name



***透過isInRole判斷目前隸屬 BUILTIN\Administrators  還是DOMAINNAME\Administrator
http://msdn2.microsoft.com/en-us/library/86wd8zba.aspx
http://msdn2.microsoft.com/en-us/library/ms127602.aspx
If My.User.IsInRole( _
        ApplicationServices.BuiltInRole.Administrator) Then
    ' Insert code to access a resource here.
End If

***透過WindowsIdentity判斷目前隸屬 BUILTIN\Administrators  還是DOMAINNAME\Administrator
http://msdn2.microsoft.com/en-us/library/system.security.principal.windowsidentity.aspx
-----------------------------------------------------------------------------------------
Dim windowsIdentity As New WindowsIdentity(logonToken)
WriteLine("Created a Windows identity object named " + _
            windowsIdentity.Name + ".")
-----------------------------------------------------------------------------------------



***windowsIdentity得到目前登入者的資訊
http://msdn2.microsoft.com/en-us/library/s88tca5h.aspx
http://msdn2.microsoft.com/en-us/library/wefzhcez.aspx
-----------------------------------------------------------------------------------------
WindowsIdentity MyIdentity = WindowsIdentity.GetCurrent();
//Principal values.
         string Name = MyPrincipal.Identity.Name;
         string Type = MyPrincipal.Identity.AuthenticationType;
         string Auth = MyPrincipal.Identity.IsAuthenticated.ToString();

         //Identity values.
         string IdentName = MyIdentity.Name;
         string IdentType = MyIdentity.AuthenticationType;
         string IdentIsAuth = MyIdentity.IsAuthenticated.ToString();
         string ISAnon = MyIdentity.IsAnonymous.ToString();
         string IsG = MyIdentity.IsGuest.ToString();
         string IsSys = MyIdentity.IsSystem.ToString();
         string Token = MyIdentity.Token.ToString();

----------------------------------------------------------------------------------------------
Dim MyIdent As WindowsIdentity = WindowsIdentity.GetCurrent()

' Create a principal.
Dim MyPrincipal As New WindowsPrincipal(MyIdent)

' Check the role using a string.
If MyPrincipal.IsInRole("BUILTIN\Administrators") Then
    Console.WriteLine("You are an administrator.")
Else
    Console.WriteLine("You are not an administrator.")
End If
' Check the role using an enumeration.
If MyPrincipal.IsInRole(WindowsBuiltInRole.Administrator) Then
    Console.WriteLine("You are an administrator.")
Else
    Console.WriteLine("You are not an administrator.")
End If




***給予使用者 某檔案檔案存取權限
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/netframesecover.asp
-----------------------------------------------------------------------------------
String f = @"c:\System Volume Information";
FileIOPermission p =
            new FileIOPermission(
               FileIOPermissionAccess.Write, f);
 p.Demand();


***限制只有windowsgroup群組的使用者才能使用A程序
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh06.asp
void A(){
PrincipalPermission permCheck = new PrincipalPermission(
                                    null, @"DomainName\WindowsGroup",true);
permCheck.Demand();
}


***指定user為特定群組
電腦管理/系統工具/本機使用者及群組/群組
http://www.microsoft.com/mspress/books/sampchap/6475a.asp

------------------------------------------
If User.IsInRole("Doctors") Then
    Label3.Text = "Because you are a member of the role " & _              
           "'Doctors', your prescription is approved"    
    Else            Label3.ForeColor = Color.Red  
         Label3.Text = "Nurses may not prescribe morphine. " & _          
               "You are under arrest."      
    End If

------------------------------------------



*** impersonated
---------------------------------------------------------------------
<identity impersonate="true" userName="bob"
  password="inClearText"/>
--------------------------------------------------------------------


*** IPrincipal介面
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemsecurityprincipaliprincipalclasstopic.asp
identity 屬性
isinRole 方法


***identity 物件
authenticatiiontype 認證類型
isauthenticated 屬性
name 取得目前使用者的名稱
http://msdn2.microsoft.com/en-us/library/system.security.principal.iidentity_properties.aspx



***windows 整合認證
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000025.asp
-------------------------------------------------------------
<system.web>
    ...
    <authentication mode="Windows"/>
    <identity impersonate="true"/>
    ...
 </system.web>
-----------------------------------------------


****form認證
http://msdn.microsoft.com/msdnmag/issues/02/09/HTTPPipelines/default.aspx
-----------------------------------------------------------------------
<configuration>
  <web.config>
    <authentication mode='Forms'/>
    <authorization>
      <deny users='?'/>
      <allow roles='Managers, Staff'/>
      <deny users='*'/>
    </authorization>
  </web.config>
</configuration>
-----------------------------------------------------------------------------


***.net認證有兩種
http://msdn2.microsoft.com/en-us/library/wce3kxhd.aspx
-------------------------------------------------------------------------------
File authorization  
URL authorization  

---------------------------------------------------------------------------------


***web.config 給予權限
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000025.asp
<authorization>
  <allow users="DomainName\Bob, DomainName\Mary" />
  <allow roles="BUILTIN\Administrators, DomainName\Manager" />
  <deny users="*" />
</authorization>


*** 儲存username password
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/mwsdk/html/mwlrfredirectfromloginpagemethods.asp
http://msdn.microsoft.com/msdnmag/issues/02/05/ASPSec2/

-------------------------------------------------------------------------
FormsAuthentication.RedirectFromLoginPage (UserName.Text,
    Persistent.Checked);

---------------------------------------------------------------------------
<configuration>
  <system.web>
    <authentication mode="Forms">
      <forms loginUrl="/LoginPage.aspx" timeout="10080" />
    </authentication>
  </system.web>
</configuration>

-----------------------------------------------------------------------------


*** MD5 hash 明碼密碼
http://msdn2.microsoft.com/en-us/library/system.web.security.formsauthentication.hashpasswordforstoringinconfigfile.aspx

http://forums.microsoft.com/MSDN-CHT/ShowPost.aspx?PostID=263158&SiteID=14


---------------------------------------------------
<authentication mode="[Windows|Forms|Passport|None]">
  <forms name="name"
    loginUrl="url"
    protection="[All|None|Encryption|Validation]"
    path="path" timeout="minutes"
    requireSSL="[true|false]"
    slidingExpiration="[true|false]">
    <credentials passwordFormat="[Clear|MD5|SHA1]">
      <user name="username"
        password="password"/>
      </credentials>
  </forms>
  <passport redirectUrl="internal" />
</authentication>

<authorization>
  <allow users="comma-separated list of users"
      roles="comma-separated list of roles" />
  <deny  users="comma-separated list of users"
      roles="comma-separated list of roles" />
</authorization>
-------------------------------------------------------


string hashedPwd =
        FormsAuthentication.HashPasswordForStoringInConfigFile(
                                             saltAndPwd, "SHA1");

string strYourHashCode = System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile("1234","md5")


---------------------------------------------------------------------------