Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Application Security Recommendations

Status
Not open for further replies.
roccorocks

roccorocks

Programmer
Joined
Nov 26, 2002
Messages
248
Location
US
We have a "Admin Module" that a client can configure roles for the application. There is a small disconnect with what we should do in the C#.net code to handle this security. Note, this is NOT Windows Security. It is security driven off of the Admin Module and what settings are "set" for a user of the application. Just wondering if anyone has done something similar as far as security goes.
 
Sort by date Sort by votes
You'll have to elaborate more. you could use the Membership provider / RoleProvider. Implement a custom version of this.
 
Upvote 0 Downvote
security is not a simple concept. than you add the complexity of database vs application security. some say you need both, others the database is the single point of access and still others say manage it from code.

I prefer to manage security from code, rather than the database (table access and stored procs). In code I will use interceptors to decorate classes. if a user does not have rights to access members of the class I throw an exception. these exceptions can then be caught at the presentation layer and 1. logged 2. redirected to another screen.

As for data security (securing the results of a query) this is a very complex task. The best implementation I have found is Rhino.Security which is part of Ayende's Rhino-Tools. You'll need to understand Castle Windsor and Nhibernate to use Rhino.Security. If you are unfamiliar with these tools, it will not be easy to grasp as it's a paradigm shift in programmatic thinking. Especially from MS's RAD philosophy.

Jason Meckley
Programmer
Specialty Bakers, Inc.
 
Upvote 0 Downvote
The Microsoft membership provider is pretty limited -- all it lets you determine if someone (who has been authenticated) is a member of a specific role.

If your security requirements are fine-grained (Joe in Receivables should be able to enter values, but not run reports, while Betty can run reports, but not enter values) you're going to have to roll your own application-level security and then (maybe) map that to a role.

Chip H.



____________________________________________________________________
www.chipholland.com
 
Upvote 0 Downvote
the concepts that Chip are describing are possible with a security framework Rhino.Security, which is part of Rhino.Tools. The Security framework requires knowledge of the Castle Stack and NHibernate. This may, or may not, be a deterrent.

Jason Meckley
Programmer
Specialty Bakers, Inc.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

IlyaRabyy
  • Locked
  • Question Question
"Server Error in '/' Application. Keyword not supported: 'provider'."
Replies
1
Views
685
IlyaRabyy
IlyaRabyy
JScannell
  • Locked
  • Question Question
Square credit card payments for desktop application
Replies
4
Views
651
gbaughma
gbaughma
diembi
  • Locked
  • Question Question
Microservice for applications with a lot of real-time events
Replies
0
Views
211
diembi
diembi
MakeItSo
  • Locked
  • Question Question
.Net 4 application won't run on Win XP SP3
Replies
3
Views
367
MakeItSo
MakeItSo
boanrb
  • Locked
  • Question Question
C# Modular Application
Replies
6
Views
401
Moregelen
Moregelen

Part and Inventory Search

Sponsor

Back
Top