[Mono-list] trusted_connection with mod_mono?
PBradley at uwic.ac.uk
Wed Feb 8 17:00:21 EST 2006
For security reasons we don't allow Web servers to connect to databases. Instead, we split the application into layers. The presentation logic layer runs on the Web server.
We use forms authentication. Users log in and their credentials (as entered) are sent to a remote object, on the business logic layer server, that checks with AD and returns true/false.
When logged in (we use attributes to protect objects that can only be accessed by logged in users, and we also check the users' roles the same way), users can perform functions that access the db. The code behind pages on the Web server pass the data storage and retrieval requests to another remote object on the business layer server. This remote object validates any data being passed in and connects to the database, which may or may not be remote, returning whatever is required to the code behind page.
The Web server is not on the domain, but the business logic server and the database server both are. This means that we can use trusted connections between the business logic layer and the database layer. The business logic server is configured to accept requests only from the Web server. The database server is configured to only accept requests from the business logic layer server.
The upshot of all this is the Web server can be any type we like running on any OS we like.
That's how we do it, anyway.
From: mono-list-bounces at lists.ximian.com on behalf of ((( m )))
Sent: Wed 2/8/2006 8:06 PM
To: mono-list at lists.ximian.com
Subject: [Mono-list] trusted_connection with mod_mono?
hello. we are testing the use of asp.net apps within mod_mono on apache
running on windows server 2003 [with the eventual migration to a
different os]. the asp.net apps are working great. but on iis, we use
"application pools" to have each asp.net application run under its own
domain account "security context" so that it can use integrated kerberos
authentication with ldap directory [currently active directory] and a
trusted connection to our databases [rather than clear text database
usernames and passwords]. we are trying to emulate that same isolation
of asp.net applications using mod_mono and apache, and having trouble.
anyone accomplish this out there yet, or know what pieces i need to put
together to make it all work? any pointers are appreciated.
republic of cascadia
Mono-list maillist - Mono-list at lists.ximian.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Mono-list