Re: Authenticating users in an n-Tier/layer architecture
From: Chris Blanco (cblancoNOSPAM@necam.com)
From: "Chris Blanco" <cblancoNOSPAM@necam.com> Date: Fri, 21 Mar 2003 09:42:10 -0500
The main problem I have with COM+ is that the main service for my APP is
legacy code and not designed to be COM compliant. Which is throwing a kink
in the whole operation. The service is VERY LARGE and CANNOT be converted to
managed code within the time frame we have. Currently we communicate with
the unmanaged code with XML over a TCP/IP transport service we created. This
is where the security problems kick in.
"Joseph Geretz" <firstname.lastname@example.org> wrote in message
> Hi Chris,
> OK, as far as initial authentication goes. However, as far as
> for specific request/transactions, it sounds to me like you'll be assuming
> the burden of drilling the identifying ticket down through the call stack
> you progress through the tiers. If you develop a method which you assume
> will not need any authorization services, and then this method
> calls a server method which needs the ticket, you'll be stuck. Might you
> find yourself in one of these following situations?
> 1. Crafting *every* method in your entire application to pass the ticket.
> (Safe, but a bit awkward.)
> 2. finding yourself needing to frequently revise method signatures in
> to pass the ticket.
> The advantage to the COM+ approach is that the 'ticket', that is the
> identity of the original caller, flows naturally throughout the duration
> the request/transaction. It's part of the intrinsic COM+ environment and
> don't need to write explicit code in order to pass it.
> Anyway, good luck with whatever approach you adopt.
> - Joe Geretz -
> "Chris Blanco" <cblancoNOSPAM@necam.com> wrote in message
> > I did a little more research and came up with a better example. I need
> > provide my users with the ability to either authenticate with a user
> > and encrypted password or with a Windows Domain Controller. Here is an
> > article that gave me the idea:
> > http://www.codeproject.com/aspnet/formsroleauth.asp
> > Using this example I can control how the user is Authenticated. I will
> > require all calls to pass a User name and AUTH ticket that will be used
> > validate them. Its hard to explain here but, thanks for the help!