简体繁体 English

ASP.Net MVC2通过令牌和其他方式保护站点安全

[英]ASP.Net MVC2 Securing the site via tokens and whatnot

原文 2010-04-26 16:08:17 7 3 c#/ asp.net-mvc/ asp.net-mvc-2

I am trying to use MVC 2 as a middle layer for my iPhone app. 我正在尝试将MVC 2用作iPhone应用程序的中间层。 The basic principal here is the MVC site will expose APIs that will allow users to POST data from iPhone and GET data from sql database running behind MVC app. MVC站点是这里的基本原理，它将公开API，这些API将允许用户从iPhone POST数据以及从在MVC应用程序后面运行的sql数据库获取数据。 The MVC 2 project will facilitate to and fro logic. MVC 2项目将促进逻辑往返。

I have few questions regarding that... 1. What is the best way of securing the MVC app so that only recognized iPhones can access the GET/POST methods? 我对此几乎没有疑问... 1.保护MVC应用程序的最佳方法是什么，以便只有公认的iPhone才能访问GET / POST方法？ 2. Can I use a shared hosting account for SQL Server and start pointing my dbconnections to it? 2.我可以使用SQL Server的共享托管帐户并开始将dbconnections指向该帐户吗？ 3. Any other thoughts on best implementing this? 3.关于最佳实施此方法还有其他想法吗？

I am quite new to MVC but very excited about using it... 我对MVC相当陌生，但对使用它感到非常兴奋...

Thank you! 谢谢！

3 个解决方案

I'm not sure how much your post is actually about asp.net MVC. 我不确定您的帖子实际上是关于asp.net MVC的。

Your first question is how to secure the app so that only recognized iPhones can access the GET/POST methods. 您的第一个问题是如何保护应用程序的安全性，以便只有公认的iPhone才能访问GET / POST方法。 This sounds more like an HTTP question and I guess it depends on your definition of "secure" and what you're trying for. 这听起来更像一个HTTP问题，我想这取决于您对“安全”的定义以及您要尝试的内容。 You could potentially send the license key (over HTTPS I would assume) from the iPhone and authenticate that. 您可能会从iPhone发送许可证密钥（通过我假设的HTTPS）并进行身份验证。 However, there's nothing stopping someone from sharing this key or using it from a non-iPhone. 但是，没有什么可以阻止某人共享此密钥或在非iPhone上使用它。 You could create a hash or something on registration and then validate against that (think Windows validation), which might help, but there will always be ways around this. 您可以在注册时创建哈希或其他内容，然后对此进行验证（例如Windows验证），这可能会有所帮助，但是总会有解决方法。 In short, you're not going to be able to truly test against "registered iPhones", but rather something that you define as a "registered iPhone" which could potentially be spoofed but is "good enough" for your needs. 简而言之，您将无法对“注册的iPhone”进行真正的测试，而是您定义为“注册的iPhone”的东西，可能会被欺骗，但足以满足您的需求。

In MVC, validation should be done at the Attribute level -- you would decorate your Actions with some sort of validation attribute. 在MVC中，验证应在属性级别完成-您将使用某种类型的验证属性来装饰您的操作。 The built in one is called Authorize and works with the built in ASP.NET Membership. 内置的一个称为“授权”，并且可以与内置的ASP.NET Membership一起使用。 It doesn't sound like that's what you would want to use, so you might want to build your own attribute to validate the HTTP request yourself. 听起来这不是您要使用的，所以您可能需要构建自己的属性来自己验证HTTP请求。

In regards to using a shared hosting account, I'm not sure the question. 关于使用共享托管帐户，我不确定这个问题。 Are you asking if a shared hosting account will work for your needs? 您是在问共享托管帐户是否可以满足您的需求？ I don't know your needs, but shared hosting can certainly accommodate 1) ASP.NET MVC, and 2) SQL Databases. 我不知道您的需求，但是共享托管肯定可以容纳1）ASP.NET MVC和2）SQL数据库。

This is a really high level question you are asking... 您要问的是一个非常高层次的问题...

What I would do in this situation is somehow tie a unique key to the phone or user+phone (depends on how the iPhone works - can it hold multiple users?). 在这种情况下，我将以某种方式将唯一密钥绑定到电话或用户+电话（取决于iPhone的工作方式-它可以容纳多个用户吗？）。 This can be done a number of ways, but one popular way would be to have the user authenticate with your site and link their phone to their account. 这可以通过多种方式完成，但是一种流行的方式是让用户通过您的网站进行身份验证并将其手机链接到他们的帐户。 During this process you send a unique key down to the phone that it uses for subsequent requests. 在此过程中，您会将唯一密钥向下发送到用于后续请求的电话。

This gives you a few things: 这给您几件事：

basic security for actions - you can validate the incoming key against a database to see that it is allowed AND 动作的基本安全性-您可以针对数据库验证传入密钥，以查看其是否被允许，并且

user connections - allows you to easily store user data on your site "in the cloud" and let's you instantly know who is connecting 用户连接-允许您轻松地将用户数据存储在“云中”的站点上，让您立即知道谁在连接

To actually do it, you should go as statichippo suggested with the attribute. 要真正做到这一点，您应该按照statichippo建议的属性进行操作。 I do this to validate a user against particular actions' role requirements. 我这样做是为了根据特定动作的角色要求验证用户。

Shared hosting might work, but if your app is successful you may need more powa. 共享主机可能会起作用，但是如果您的应用程序成功，则可能需要更多电源。 Cloud hosting may be beneficial here as you will probably have peak/boom hours and low usage hours every day. 云托管在这里可能是有益的，因为您每天可能会有高峰/繁忙时间和低使用时间。

If this will not have an actual user interface and is only used to transfer data, you are probably better off creating a WCF web service as your project. 如果它没有实际的用户界面，仅用于传输数据，则最好将WCF Web服务作为项目来创建。 You can then use this web service from your iphone app using something like what is detailed in this blog post. 然后，您可以通过iphone应用程序使用此Web服务，方法类似于本博文中详细介绍的内容。

Web services are designed for this situation, and provide many ways of authentication and security. Web服务是针对这种情况而设计的，并提供了多种身份验证和安全性方法。 Plus, it's more RESTful. 另外，它更加RESTful。