ASP.Net Identity 2.0无人参与登录
[英]ASP.Net Identity 2.0 Unattended Login
问题描述
I'm using ASP.Net Identity 2.2 in a web application and it's working great. 
我在Web应用程序中使用ASP.Net Identity 2.2,并且运行良好。
What I want to do is have a background service that accesses the web application in order to generate Thumbnails and / or pdfs of some of the pages. 我想要做的是拥有一个访问Web应用程序的后台服务,以便生成某些页面的Thumbnails和/或pdfs。 This service may end up running as within the w3wp.exe process and is triggered by certain web requests made by users, eg the user changes some settings and the background service is triggered to regenerate the thumbnails. 该服务可能最终会像在w3wp.exe进程中一样运行,并由用户发出的某些Web请求触发,例如,用户更改了某些设置,并且触发了后台服务以重新生成缩略图。
The problem is allowing the background service to access the pages without opening a back-door that others could use to access the pages. 问题是允许后台服务访问页面而无需打开其他人可以用来访问页面的后门。 Currently I have code that can copy the authentication cookies from a web request and use them to request the pages and generate thumbnails but I need to be able to do this WITHOUT any existing connection to copy the cookies from. 当前,我有可以从Web请求中复制身份验证cookie并使用它们来请求页面并生成缩略图的代码,但是我需要能够在没有任何现有连接的情况下从中复制cookie。 It needs to be able to get its own cookies. 它需要能够获得自己的cookie。
The libraries I am using to generate PDFs / Thumbnails work by making normal web requests to the web server and use headless browsers. 我用来生成PDF /缩略图的库通过向Web服务器发出正常的Web请求并使用无头浏览器来工作。 I need to go through the web server as the pages include a lot of javascript and ajax so static pages would be difficult to generate. 我需要浏览Web服务器,因为页面包含很多javascript和ajax,因此静态页面将很难生成。
Ideally it should use a "system" user that nobody on the web can log in as. 理想情况下,它应该使用网络上没有人可以登录的“系统”用户。
I don't want to be storing the password for a user in a form that can be revseribly decoded (all passwords are hashed in the database). 我不想以可重新解码的形式存储用户的密码(所有密码都在数据库中散列)。
Does anyone have any idea how to do this? 有谁知道如何做到这一点?
I had the idea that if there were a solid way to identify a request was coming from the thumbnail service then the server could just call the signin() function without needing a password but that is of course a difficult problem in itself as we would want to protect against people running web browsers on the server to bypass security. 我的想法是,如果有一种可靠的方法来识别来自缩略图服务的请求,则服务器可以直接调用signin()函数而不需要密码,但这当然是我们想要的一个难题防止有人在服务器上运行Web浏览器来绕过安全性。 I wasn thinking maybe a shared (single use) secret but not sure if this can be done securely enough. 我当时不是在考虑共享(一次性使用)机密,但不确定是否可以安全地完成此操作。
1 个解决方案
解决方案1
0 2016-11-15 14:56:42
You could make the service run with a particular user of your web service and then allow that user to access the specified resources of your web site, adding to your web.config something like this: 您可以使该服务与您的Web服务的特定用户一起运行,然后允许该用户访问您网站的指定资源,并在您的web.config添加如下内容:
<location path="yourdomain/yourresource">
<system.web>
<authorization>
<allow users="domainname\user" />
<deny users="*" />
</authorization>
</system.web>
</location>
In this way you will not have to create a fake user that has zero business value, nor hardcode or configure username and password in your service. 这样,您将无需创建业务价值为零的伪造用户,也无需在服务中硬编码或配置用户名和密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.