密码保护.NET ClickOnce部署？ [英] Password protected .NET ClickOnce deployment?

问题描述

我怎么能保护的ClickOnce部署的应用程序使用密码？我一定要改变网络的IIS设置还是有一个以编程方式做到这一点？我使用Visual Studio 2005（.NET 2.0）。

How can I protect a ClickOnce deployed application with a password? Do I have to change the IIS settings of the web or is there a way to do it programmatically? I'm using Visual Studio 2005 (.NET 2.0).

如果我必须使用网络凭证，是应用程序的自动更新仍然是可能的？

If I have to use web credentials, are auto-updates of the application still possible?

将是巨大的，如果你能提供一些示例code或详细说明管理IIS。

Would be great if you could provide some sample code or detailed instructions for administering IIS.

感谢您！

推荐答案

我发现自己这个MSDN文章中一个可能的解决方案：的 ClickOnce部署和安全。

I found a possible solution by myself in this MSDN article: ClickOnce Deployment and Security.

。相反，你将使用户（使用Windows NT身份验证）访问您基于用户的身份安装了部署。

If you want to control which deployments each user can access, you should not enable anonymous access to ClickOnce applications deployed on a Web server. Rather, you would enable users access to the deployments you have installed based on a user's identity (using Windows NT authentication).

如果您部署到没有Windows NT身份验证的环境中，一个解决办法是尝试使用的 ASP.NET基于表单的认证，以验证用户。但是，ClickOnce的不支持基于表单的身份验证，因为它使用永久性Cookie;这些present，因为它们驻留在Internet Explorer缓存，可以被黑客攻破安全风险。因此，如果要部署ClickOnce应用程序，除了Windows NT身份验证的任何身份验证方案是不支持的。

If you deploy to an environment without Windows NT authentication, a solution could be to try using ASP.NET form-based authentication to authenticate the user. However, ClickOnce does not support forms-based authentication because it uses persistent cookies; these present a security risk because they reside in the Internet Explorer cache and can be hacked. Therefore, if you are deploying ClickOnce applications, any authentication scenario besides Windows NT authentication is unsupported.

如果你要传递参数到ClickOnce应用程序时出现额外的安全考虑。的ClickOnce使开​​发人员能够提供一个查询字符串，以部署在Web应用程序。查询字符串采用了一系列名值对在使用的URL的结尾的形式来启动应用程序：

An additional security consideration occurs if you have to pass arguments into a ClickOnce application. ClickOnce enables developers to supply a query string to applications deployed over the Web. The query string takes the form of a series of name-value pairs at the end of the URL used to start the application:

http://servername.adatum.com/WindowsApp1.application?username=joeuser

在默认情况下，查询字符串参数被禁用。为了使他们的属性 trustUrlParameters必须在应用程序的部署设置清单。这个值可以从Visual Studio和从MageUI.exe进行设置。有关如何启用传递查询字符串的详细步骤，请参阅如何：检索查询字符串在ClickOnce应用程序信息

By default, query-string arguments are disabled. To enable them, the attribute trustUrlParameters must be set in the application's deployment manifest. This value can be set from Visual Studio and from MageUI.exe. For detailed steps on how to enable passing query strings, see How to: Retrieve Query String Information in a ClickOnce Application.

您永远不应该通过查询字符串中检索到数据库或在命令行参数不检查参数，以确保他们的安全。不安全的参数是那些包括数据库或命令行转义字符，可能允许恶意用户来操作你的应用程序到执行任意命令。

You should never pass arguments retrieved through a query string to a database or to the command line without checking the arguments to make sure that they are safe. Unsafe arguments are ones that include database or command line escape characters that could allow a malicious user to manipulate your application into executing arbitrary commands.

注：查询字符串参数是将参数传递给ClickOnce应用程序在启动时的唯一途径。你不能传递参数从命令行ClickOnce应用程序。的

这篇关于密码保护.NET ClickOnce部署？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！