C#安全性,计划任务/ Windows服务,使用一个用户进行Web调用,使用另一个用户进行数据库更新
[英]C# security, Scheduled Task/Windows Service, use one user for web calls, another for DB updates
问题描述
I have a scheduled task to create to get data from a site using the webclient class. 
我有一个计划任务,要创建以使用webclient类从站点获取数据。 How do I execute a database update with the data retrieved under a different windows user? 如何使用在其他Windows用户下检索到的数据执行数据库更新? I was told not to use the same account to access the site as performs the update. 有人告诉我不要使用与执行更新相同的帐户来访问该网站。 Should I just create a windows service that runs the web request then call a db component with authentication settings set under IIS to run under a different user? 我是否应该只创建一个运行Web请求的Windows服务,然后调用在IIS下设置了身份验证设置的db组件,以便在其他用户下运行? Or is there a tidier way to do this running a single exe as a scheduled task? 还是有一种比较整齐的方法来将单个exe作为计划任务运行? The Scheduled task runs under a single user. 计划任务在单个用户下运行。 Could I run the task and switch user for the update? 我可以运行任务并切换用户进行更新吗? We are using Windows authentication at the database level. 我们正在数据库级别使用Windows身份验证。
2 个解决方案
解决方案1
1 2016-03-01 12:43:01
Run two Windows Services. 运行两个Windows服务。 One to get the data from the website, running under Account "A" which stores the data locally. 一个从网站获取数据的帐户,在“ A”帐户下运行,该帐户在本地存储数据。 The other Windows Service running under Account "B" picks up the locally stored data and executes the database update. 在帐户“ B”下运行的另一个Windows服务将获取本地存储的数据并执行数据库更新。
Other designs will require you to store the credentials somewhere in a config or other file - this way the Windows Services are always running under the correct account for the task they are attempting. 其他设计将要求您将凭据存储在配置或其他文件中的某处-这样,Windows Services始终以其尝试执行的任务的正确帐户运行。
解决方案2
0 2016-03-01 13:35:24
You clearly stated that you will have to use a Windows user to get access to the database. 您明确声明必须使用Windows用户才能访问数据库。 However, often this will not be the case when you authenticate against a web site so exactly how you solve your problem will depend on the details of that. 但是,当您通过网站进行身份验证时,通常情况并非如此,因此如何解决问题将取决于具体细节。
You should probably execute your process as the Windows user that has access to the database. 您可能应该以有权访问数据库的Windows用户身份执行您的进程。 Then you have to solve how to authenticate against the web site. 然后,您必须解决如何针对该网站进行身份验证。 If the site uses forms based authentication it is a bit complicated but there is an answer to the question WebClient accessing page with credentials that might help. 如果该站点使用基于表单的身份验证,则可能有点复杂,但是可以使用凭据来解决WebClient访问页面的问题的答案。
If you need to use the WebClient.Credentials property to authenticate against the web site you might find it easier to execute your process as the user that has access to the web site. 如果您需要使用WebClient.Credentials属性对网站进行身份验证,您可能会发现,具有访问该网站权限的用户可以更轻松地执行流程。 You then need to use impersonation to access the database. 然后,您需要使用模拟来访问数据库。 A simple way to do that is to use the SimpleImpersonation NuGet package. 一种简单的方法是使用SimpleImpersonation NuGet包。
In most cases you will have to store the password for one of the users so your process can use it to either log in to the web site or impersonate the user. 在大多数情况下,您将必须存储其中一个用户的密码,以便您的进程可以使用它来登录网站或模拟用户。 A relatively safe way to store the password is to use the Windows Data Protection API (DPAPI) . 一种相对安全的密码存储方式是使用Windows数据保护API(DPAPI) 。 The class ProtectedData can assist you in storing secrets so only a specific user on the computer can access the secret (eg the password). ProtectedData类可以帮助您存储机密,因此只有计算机上的特定用户才能访问机密(例如密码)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.