最佳网络安全性，多个网站的会员资格（Microsoft tech） [英] Best web security, membership for multiple websites (Microsoft tech)

问题描述

我进出网络开发（主要是编写Winforms应用程序），虽然我得到了如何编写MVC应用程序和使用Internet解决方案角色的安全模型 - 如果有几个网站那么您创建的可以与一个专门构建的安全应用程序进行交互和身份验证，其中包含一个用户数据库以及他们可以访问的应用程序 - 而不是每个网站都拥有自己独立的用户数据库以及对用户进行身份验证的方式。



任何人都可以推荐资源/技术/演练来做这种事情 - 那里更直接的尝试，那将是很棒的。



我尝试了什么：



我尝试过实施IdentityServer，但这有点过头了现在，我需要对此进行更多的研究。它有点充实，有很多东西需要理解。

Hi, I am in and out of web development (mostly write Winforms apps) and although I get the how to write MVC apps and the security model that roles with an "Internet" solution - it would be nice if several websites that you create could interact and authenticate users against ONE purpose built security app, with ONE database of users and what apps they have access to - rather than each website having it's own discrete database of users and way to authenticate against users.

Can anyone recommend a resource/technology/walkthrough to do this kind of thing - something out there that is more straight forward to attempt, that would be great.

What I have tried:

I have tried implementing IdentityServer, but it's a bit over my head for now and I need to do more research about this. It's a bit full on and there are lots of things to understand.

推荐答案

如果现在这是超出你的头脑，我建议在这一点上停下来并投入其他一些领域。如果你接近这个任务，你会发现更多的问题超出你的头脑，可能比你现在想象的要多得多。



预留明显的安全问题，您需要清楚地了解您的责任。如果所有应用程序的安全模式将所有应用程序打开到您可能允许潜入单个产品的任何微小漏洞，您的应用程序应该是另一层。它可以彻底破坏许多客户的生活。你愿意为此承担责任吗？同时，我了解您可以将您的应用程序限制为自己的一组站点，并确保所有这些站点都不用于处理和过度敏感的信息。但即使在这种情况下，您应该明白，特别是用户的密码非常有价值。即使在一个安全性不太敏感的网站上，如果某个恶意艺术家可以访问密码，也可能会在其他网站上破解同一个人的密码。但是，密码问题相对容易通过不在任何地方存储任何密码来解决，这是通常的做法。



为了全面了解所涉及的内容，请查看，特别是在 OpenID基金会：

OpenID - 维基百科，免费的百科全书 [ ^ ]，

OpenID Foundation网站 [ ^ ]，

OpenID解释 [ ^ ]。

-SA

If this is "over your head" right now, I would recommend to stop at this point and invest your efforts in some other fields. If you get to this task closer, you will find a lot more issues "over your head", probably a lot more than you can imagine right now.

Set aside obvious security issue, you need to clearly understand your liability. Your application should be another layer if the security schema of all application which will open all those application to any tiny exploit which you may allow to sneak in your single product. It can literally ruin the life on many your customers. Are you ready to hold responsibility for that? At the same time, I understand that you may limit your application to a set of site of your own, and make sure that all of them are not used for dealing with and overly sensitive information. But even in this case, you should understand that, in particular, the user's password can be extremely valuable. Even on a not very security sensitive site, if some malicious artist, say, get access to a password, it may give a clue for cracking passwords of the same person on other sites. However, the password problem is relatively easily solved by not storing any password anywhere, which is the usual practice.

To get a general idea on what's involved, please look, in particular, at OpenID Foundation:
OpenID — Wikipedia, the free encyclopedia[^],
OpenID Foundation website[^],
OpenID Explained[^].

—SA

这篇关于最佳网络安全性，多个网站的会员资格（Microsoft tech）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！