密码保护.NET ClickOnce部署? [英] Password protected .NET ClickOnce deployment?
问题描述
如何使用密码保护ClickOnce部署的应用程序?我必须更改网站的IIS设置,还是有办法以编程方式执行?我使用Visual Studio 2005(.NET 2.0)。
How can I protect a ClickOnce deployed application with a password? Do I have to change the IIS settings of the web or is there a way to do it programmatically? I'm using Visual Studio 2005 (.NET 2.0).
如果我必须使用Web凭据,那么应用程序的自动更新是否仍然可行?
If I have to use web credentials, are auto-updates of the application still possible?
如果您可以提供一些示例代码或用于管理IIS的详细说明,将会很棒。
Would be great if you could provide some sample code or detailed instructions for administering IIS.
谢谢!
推荐答案
我在MSDN的文章中发现了一个可能的解决方案: ClickOnce部署和安全性。
I found a possible solution by myself in this MSDN article: ClickOnce Deployment and Security.
如果要控制每个用户可以访问的部署,您应该不启用匿名访问到部署在Web服务器上的ClickOnce应用程序。相反,您将允许用户根据用户身份(使用Windows NT身份验证)访问您安装的部署。
If you want to control which deployments each user can access, you should not enable anonymous access to ClickOnce applications deployed on a Web server. Rather, you would enable users access to the deployments you have installed based on a user's identity (using Windows NT authentication).
如果部署到没有Windows NT身份验证的环境中,解决方案可能是尝试使用基于ASP.NET表单的身份验证来验证用户。但是,ClickOnce不支持基于表单的身份验证,因为它使用持久性Cookie;这些存在安全风险,因为它们驻留在Internet Explorer缓存中并可能被黑客攻击。因此,如果您正在部署ClickOnce应用程序,则不支持Windows NT身份验证之外的任何身份验证方案。
If you deploy to an environment without Windows NT authentication, a solution could be to try using ASP.NET form-based authentication to authenticate the user. However, ClickOnce does not support forms-based authentication because it uses persistent cookies; these present a security risk because they reside in the Internet Explorer cache and can be hacked. Therefore, if you are deploying ClickOnce applications, any authentication scenario besides Windows NT authentication is unsupported.
如果必须将参数传递到ClickOnce应用程序中,则会发生额外的安全考虑。 ClickOnce使开发人员可以将查询字符串提供给通过Web部署的应用程序。查询字符串在用于启动应用程序的URL的末尾具有一系列名称 - 值对的形式:
An additional security consideration occurs if you have to pass arguments into a ClickOnce application. ClickOnce enables developers to supply a query string to applications deployed over the Web. The query string takes the form of a series of name-value pairs at the end of the URL used to start the application:
http://servername.adatum.com/WindowsApp1.application?username=joeuser
默认情况下,查询 - 字符串参数被禁用。要启用它们,必须在应用程序的部署清单中设置属性 trustUrlParameters。该值可以从Visual Studio和MageUI.exe设置。有关如何启用传递查询字符串的详细步骤,请参阅如何:在ClickOnce应用程序中检索查询字符串信息。
By default, query-string arguments are disabled. To enable them, the attribute trustUrlParameters must be set in the application's deployment manifest. This value can be set from Visual Studio and from MageUI.exe. For detailed steps on how to enable passing query strings, see How to: Retrieve Query String Information in a ClickOnce Application.
不应将通过查询字符串检索的参数传递给数据库或命令行,而不检查参数以确保它们是安全的。不安全的参数是包含数据库或命令行转义字符的参数,可以允许恶意用户将应用程序操作为执行任意命令。
You should never pass arguments retrieved through a query string to a database or to the command line without checking the arguments to make sure that they are safe. Unsafe arguments are ones that include database or command line escape characters that could allow a malicious user to manipulate your application into executing arbitrary commands.
注意:查询字符串参数是在启动时将参数传递给ClickOnce应用程序的唯一方法。您不能从命令行将参数传递给ClickOnce应用程序。
这篇关于密码保护.NET ClickOnce部署?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
