Designing an Authentication and Authorization Strategy
2011-01-18 13:04
253 查看
FROM MSDN: J.D. Meier
06-25-2008 10:35 PM
What are the key
steps to designing an effective authentication and authorization
strategy? The keys are knowing your user stores, role stores, and who
need to access what or perform which operations. In this post, I share
the approaches we've used in two of our patterns & practices
guides. These are the approaches we've used to help customers design
successfully design their authentication and authorization approaches.
Designing an Authentication and Authorization Strategy - v1
When we first wrote Building Secure ASP.NET Applications
, here's the meta-process we came up with for working through your authentication and authorization strategies:
Identify resources
Choose an authorization strategy
Choose the identities used for resource access
Consider identity flow
Choose an authentication approach
Decide how to flow identity
For elaboration, see Authentication and Authorization
.
Designing an Authentication and Authorization Strategy - v2
When we recently wrote Improving Web Application Security
, we made some revisions:
Identify your user stores.
Identify your role stores.
Identify resources you need to access and operations you need to perform.
Identify which identities need to access the resources and perform the operations.
Choose your authentication and authorization strategies.
Personally,
I've found it really cuts to the chase if you start with your user
stores and role stores, since they tend to be somewhat fixed.
Identities
When
you think through the identities, I've found it helpful to think in
terms of who needs to access which resources or perform which actions.
Consider the following:
Original caller
Process identity
Service account
Custom identity
Role
Resource Types
When you think through the resource types, I find it helpful to think in terms of:
System
Application
User
Authorization Strategies
When thinking through the authorization strategies, I find it helpful to consider:
Role-based
Resource-based
Operation-based
Resource Access Patterns
When thinking through the resource access patterns, I find it helpful to consider:
Trusted subsystem model
Impersonation/delegation model
Designing
authentication and authorization can be a gnarly topic. I hope the
scaffolding above helps you find a path that works for you.
06-25-2008 10:35 PM
What are the key
steps to designing an effective authentication and authorization
strategy? The keys are knowing your user stores, role stores, and who
need to access what or perform which operations. In this post, I share
the approaches we've used in two of our patterns & practices
guides. These are the approaches we've used to help customers design
successfully design their authentication and authorization approaches.
Designing an Authentication and Authorization Strategy - v1
When we first wrote Building Secure ASP.NET Applications
, here's the meta-process we came up with for working through your authentication and authorization strategies:
Identify resources
Choose an authorization strategy
Choose the identities used for resource access
Consider identity flow
Choose an authentication approach
Decide how to flow identity
For elaboration, see Authentication and Authorization
.
Designing an Authentication and Authorization Strategy - v2
When we recently wrote Improving Web Application Security
, we made some revisions:
Identify your user stores.
Identify your role stores.
Identify resources you need to access and operations you need to perform.
Identify which identities need to access the resources and perform the operations.
Choose your authentication and authorization strategies.
Personally,
I've found it really cuts to the chase if you start with your user
stores and role stores, since they tend to be somewhat fixed.
Identities
When
you think through the identities, I've found it helpful to think in
terms of who needs to access which resources or perform which actions.
Consider the following:
Original caller
Process identity
Service account
Custom identity
Role
Resource Types
When you think through the resource types, I find it helpful to think in terms of:
System
Application
User
Authorization Strategies
When thinking through the authorization strategies, I find it helpful to consider:
Role-based
Resource-based
Operation-based
Resource Access Patterns
When thinking through the resource access patterns, I find it helpful to consider:
Trusted subsystem model
Impersonation/delegation model
Designing
authentication and authorization can be a gnarly topic. I hope the
scaffolding above helps you find a path that works for you.
相关文章推荐
- Designing an Authentication and Authorization Strategy
- Yii - 验证和授权(Authentication and Authorization)
- [Java EE][Security] - Understanding Security Realms - 2. DB authentication and authorization
- ASP.NET authentication and authorization
- Authentication and Authorization for ASP.Net Application
- IIS authentication and authorization
- (待翻译)Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
- Designing an IAM Framework with Oracle Identity and Access Management Suite[文摘]
- 关于Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.的问题
- Authentication and Authorization
- Riaservice 验证和授权(Authentication and Authorization)(转载)
- ASP.NET authentication and authorization
- Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
- Authentication and Authorization
- Yii框架官方指南系列42——专题:验证和授权(Authentication and Authorization)
- Authentication and Authorization
- Securing Your Application->Authentication and Authorization
- Authorization and Authentication In Hadoop
- How-to: Enable User Authentication and Authorization in Apache HBase
- Authentication and Authorization in ASP.NET Web API