E
Eric
I'm new to ASP .NET and would like to know if the following is a good
strategy for securing web servers and application servers in the N-tier
architecture. I have a web server that talks to application server via .NET
remoting. The application server talks to the SQL Server 2000. The version
of .NET is 2.0. I'd like to secure both web server and application server.
The remoting is hosted in the IIS. I can set the IP addresses on the
application server to the web server only, but I also want to prevent anyone
from just executing methods on the application server without
authentication. I was thinking of using forms authentication on the web
server. The login page requires 3 pieces of information: numeric id,
alphanumeric id, and password. After verifying that numeric id, alphanumeric
id, and password matches the given user, I thought of creating session for
the user on the database side. The session key would be identified by
hashable GUID. I could then store that session key in the forms
authentication cookie (as the name parameter when creating
FormAuthenticationTicket) and make sure that cookie is encrypted and only
uses SSL.
Then, in Application_AuthenticateRequest method, I can read back the form
authenticated cookie, create an instance of custom Principal object with
custom IIdentity interface, set the Principal object, and then allow the
client to pass Principal object to remoting application server. The
application server will read the Thread.CurrentPrincipal property and try to
validate against the custom IIdentity object.
Is this a good implementation of securing both layers? The web application
is using SSL and the traffic between web server and application server is
also SSL encrypted.
Thanks,
Eric
strategy for securing web servers and application servers in the N-tier
architecture. I have a web server that talks to application server via .NET
remoting. The application server talks to the SQL Server 2000. The version
of .NET is 2.0. I'd like to secure both web server and application server.
The remoting is hosted in the IIS. I can set the IP addresses on the
application server to the web server only, but I also want to prevent anyone
from just executing methods on the application server without
authentication. I was thinking of using forms authentication on the web
server. The login page requires 3 pieces of information: numeric id,
alphanumeric id, and password. After verifying that numeric id, alphanumeric
id, and password matches the given user, I thought of creating session for
the user on the database side. The session key would be identified by
hashable GUID. I could then store that session key in the forms
authentication cookie (as the name parameter when creating
FormAuthenticationTicket) and make sure that cookie is encrypted and only
uses SSL.
Then, in Application_AuthenticateRequest method, I can read back the form
authenticated cookie, create an instance of custom Principal object with
custom IIdentity interface, set the Principal object, and then allow the
client to pass Principal object to remoting application server. The
application server will read the Thread.CurrentPrincipal property and try to
validate against the custom IIdentity object.
Is this a good implementation of securing both layers? The web application
is using SSL and the traffic between web server and application server is
also SSL encrypted.
Thanks,
Eric