Re: Newbie security architecture question

From: Joe Kaplan (ilearnedthisthehardway@noway.com)
Date: 01/18/03


From: "Joe Kaplan" <ilearnedthisthehardway@noway.com>
Date: Sat, 18 Jan 2003 11:05:50 -0600


You might consider a layered approach where you factor the role-based
security requirements into a separate assembly and call into that through
your web application. Your business objects would trust this outer layer
and rely on it for authorization of activities. With that, you could use
the role-based mechanism that ASP.NET offers.

For callers that actually access your business objects, you might consider
using Strong-name permissions to authorize callers. Basically, a
strong-name permission will require that the calling assembly be signed with
a strong name key that you would presumably control and distribute.

Combining these two things might give you the flexibility to do exactly what
you want, but you will probably need to spend some careful consideration in
your design.

For what it's worth, I am doing something similar with a set of business
objects that are called from both ASP.NET apps and also from some
"batch-style" console apps and services. It seems to be working out pretty
well so far.

Good luck,

Joe K.

"Robert Zurer" <robert@zurer.com> wrote in message
news:e8sgLewvCHA.1640@TK2MSFTNGP09...
>
> "Shawn Farkas [MS]" <shawnfa@online.microsoft.com> wrote in message
> news:#rfFM3nvCHA.2668@TK2MSFTNGP09...
> > Hi Robert,
> >
> > Joe is correct, you do want to use role based security.
>
> Thank you both for your kind input.
>
> One of the issues I didn't mention is that I intend to use the same
business
> objects for many different applications. In one application the method
> Foo.Bar() may be available to all users and in another only to some,
making
> hardcoded security attributes unworkable, (or am I wrong?).
>
> My idea was to have each class and method have an CustomAttribute
specifying
> the evidence necessary to call it successfully. Each 'UserSecurityObject'
> would be supplied with a list of these 'pieces of evidence' when the
session
> starts. Then, and here is the problem, the server would somehow call the
> methods of this object using a new AppDomain, passing into the AppDomain
the
> evidence supplied by the client session.
>
> To use a non-real-world example, if I were using not using a web
> application, but instead a series of console apps, the console apps could
be
> identical except that each application's assembly would contain specific
> evidence based on what code the app is allowed to call.
>
> Can I do this from within a web application?
>
> Robert Zurer
>
>
>
>



Relevant Pages

  • Re: Newbie security architecture question
    ... hardcoded security attributes unworkable,. ... the evidence necessary to call it successfully. ... methods of this object using a new AppDomain, ... application, but instead a series of console apps, the console apps could be ...
    (microsoft.public.dotnet.security)
  • Re: Newbie security architecture question
    ... hardcoded security attributes unworkable,. ... the evidence necessary to call it successfully. ... methods of this object using a new AppDomain, ... application, but instead a series of console apps, the console apps could be ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Newbie security architecture question
    ... For callers that actually access your business objects, ... "batch-style" console apps and services. ... you do want to use role based security. ... > the evidence necessary to call it successfully. ...
    (microsoft.public.dotnet.security)
  • RE: Is IDS/IPS worthless?
    ... primary business is theirs, and other people's money, calculate technology ... role and costing of technology in a business. ... Different businesses have different teams that look into the value of risk ... Most banks now have IT security savvy staff within their audit teams - I ...
    (Focus-IDS)
  • ISO 27001 Newsletter: Edition 17 Released
    ... The latest issue of the newsletter covering the ISO information ... news and background with respect to the ISO security standards. ... Trials and Tribulations of an Information Security Officer ... Business Continuity Management: Preparation and Risk ...
    (comp.security.misc)