群集环境中的ASP.Net Core数据保护API [英] ASP.Net Core Data Protection API in a Clustered Environment
问题描述
我难以理解Data Protection API。
我想在集群环境(服务结构)中建立一些网络核心Web应用程序。以前,您要做的只是确保每台计算机在其web.config中具有相同的密钥。简单。借助新的数据保护API,似乎需要更多( lottle !)。
来自文档在这里似乎应该很简单,即使用适当的证书来设置数据保护服务。
但是我尝试这样做:
public static void Main(string [] args)
{
//添加数据保护服务
var serviceCollection =新的ServiceCollection();
string thumbPrint = XXXXXXXXXXXX;
serviceCollection.AddDataProtection()
.ProtectKeysWithDpapiNG($ CERTIFICATE = HashId:{thumbPrint},标志:Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags.None);
var services = serviceCollection.BuildServiceProvider();
//使用服务提供者
创建MyClass实例var instance = ActivatorUtilities.CreateInstance< MyClass>(services);
instance.RunSample();
}
公共类MyClass
{
IDataProtector _protector;
//提供者参数由DI提供
public MyClass(IDataProtectionProvider provider)
{
_protector = provider.CreateProtector( Contoso.MyClass.v1 );
}
public void RunSample()
{
Console.Write( Enter input:);
字符串输入= Console.ReadLine();
//保护有效负载
字符串protectedPayload = _protector.Protect(input);
Console.WriteLine($保护返回:{protectedPayload});
//取消保护有效载荷
字符串unprotectedPayload = _protector.Unprotect(protectedPayload);
Console.WriteLine($取消保护返回:{unprotectedPayload});
Console.ReadLine();
}
}
我只是得到一个例外
System.InvalidOperationException发生
HResult = 0x80131509
消息=类型'Microsoft.AspNetCore.DataProtection.Repositories没有服务。 IXmlRepository'已注册。
经过一番挖掘后发现,这是因为没有为键指定持久存储。 / p>
这里有什么建议?我是否应该将密钥保留在某个中央位置(即,可用于我所有应用程序的共享)。如果是这样,原因是什么?
您必须提供 IXmlRepository的实现
为数据保护API提供了一个存储密钥的地方。 ProtectKeysWith *()
指令可保护静态密钥(从基本意义上讲,在保存密钥之前先对其进行加密!)。其他信息此处。
我最终坚持使用我的AzureStorage密钥。更多信息此处。
serviceCollection.AddDataProtection()
.ProtectKeysWithDpapiNG($ CERTIFICATE = HashId: {thumbPrint},标志:Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags.None)
.PersistKeysToAzureBlobStorage(/ * params * /);
还值得注意的是,用于保护密钥的证书必须将其存储在证书存储区中,并且运行该应用程序的帐户必须具有读取权限。请参见此处。
I'm having difficulty understanding the Data Protection API.
I'm wanting to set up some net core web applications in a clustered environment (service fabric). Previously what you'd do is just ensure that each machine has the same key in its web.config. Simple. With the new data protection API it seems a little (lottle!) bit more involved.
From the documentation here it appears that it should be as simple as setting up the Data Protection service with the appropriate certificate.
However I tried this:
public static void Main(string[] args)
{
// add data protection services
var serviceCollection = new ServiceCollection();
string thumbPrint = "XXXXXXXXXXXX";
serviceCollection.AddDataProtection()
.ProtectKeysWithDpapiNG($"CERTIFICATE=HashId:{thumbPrint}", flags: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags.None);
var services = serviceCollection.BuildServiceProvider();
// create an instance of MyClass using the service provider
var instance = ActivatorUtilities.CreateInstance<MyClass>(services);
instance.RunSample();
}
public class MyClass
{
IDataProtector _protector;
// the 'provider' parameter is provided by DI
public MyClass(IDataProtectionProvider provider)
{
_protector = provider.CreateProtector("Contoso.MyClass.v1");
}
public void RunSample()
{
Console.Write("Enter input: ");
string input = Console.ReadLine();
// protect the payload
string protectedPayload = _protector.Protect(input);
Console.WriteLine($"Protect returned: {protectedPayload}");
// unprotect the payload
string unprotectedPayload = _protector.Unprotect(protectedPayload);
Console.WriteLine($"Unprotect returned: {unprotectedPayload}");
Console.ReadLine();
}
}
And I just get an exception of
System.InvalidOperationException occurred
HResult=0x80131509
Message=No service for type 'Microsoft.AspNetCore.DataProtection.Repositories.IXmlRepository' has been registered.
Which after some digging around turns out that it's because there is no persisted store specified for the keys.
What is advised here? Should I be persisting my keys to some central location (i.e. a share that is available to all my applications). If so, what is the reason why?
You have to supply an implementation of IXmlRepository
which provides the data protection API with a place to store the keys. The ProtectKeysWith*()
directives protect the keys at rest (in basic terms, encrypts the keys before saving them!). Additional info here.
I ended up persisting my keys to AzureStorage. More info here.
serviceCollection.AddDataProtection()
.ProtectKeysWithDpapiNG($"CERTIFICATE=HashId:{thumbPrint}", flags: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiNGProtectionDescriptorFlags.None)
.PersistKeysToAzureBlobStorage(/* params */);
It is also worth noting that the certificate used to protect the keys must be stored in a certificate store and the account which the application is running under must have read access. See here.
这篇关于群集环境中的ASP.Net Core数据保护API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!