Re: Authenticating users in an n-Tier/layer architecture

From: Chris Blanco (cblancoNOSPAM@necam.com)
Date: 03/21/03


From: "Chris Blanco" <cblancoNOSPAM@necam.com>
Date: Fri, 21 Mar 2003 09:42:10 -0500


The main problem I have with COM+ is that the main service for my APP is
legacy code and not designed to be COM compliant. Which is throwing a kink
in the whole operation. The service is VERY LARGE and CANNOT be converted to
managed code within the time frame we have. Currently we communicate with
the unmanaged code with XML over a TCP/IP transport service we created. This
is where the security problems kick in.
"Joseph Geretz" <jgeretz@nospam.com> wrote in message
news:#tE7NNz7CHA.2196@TK2MSFTNGP12.phx.gbl...
> Hi Chris,
>
> OK, as far as initial authentication goes. However, as far as
authorization
> for specific request/transactions, it sounds to me like you'll be assuming
> the burden of drilling the identifying ticket down through the call stack
as
> you progress through the tiers. If you develop a method which you assume
> will not need any authorization services, and then this method
subsequently
> calls a server method which needs the ticket, you'll be stuck. Might you
> find yourself in one of these following situations?
>
> 1. Crafting *every* method in your entire application to pass the ticket.
> (Safe, but a bit awkward.)
>
> 2. finding yourself needing to frequently revise method signatures in
order
> to pass the ticket.
>
> The advantage to the COM+ approach is that the 'ticket', that is the
> identity of the original caller, flows naturally throughout the duration
of
> the request/transaction. It's part of the intrinsic COM+ environment and
you
> don't need to write explicit code in order to pass it.
>
> Anyway, good luck with whatever approach you adopt.
>
> - Joe Geretz -
>
> "Chris Blanco" <cblancoNOSPAM@necam.com> wrote in message
> news:O065nOy7CHA.3332@TK2MSFTNGP11.phx.gbl...
> > I did a little more research and came up with a better example. I need
to
> > provide my users with the ability to either authenticate with a user
name
> > and encrypted password or with a Windows Domain Controller. Here is an
> > article that gave me the idea:
> >
> > http://www.codeproject.com/aspnet/formsroleauth.asp
> >
> > Using this example I can control how the user is Authenticated. I will
> then
> > require all calls to pass a User name and AUTH ticket that will be used
to
> > validate them. Its hard to explain here but, thanks for the help!
>
>



Relevant Pages

  • RE: Membership Provider Woes
    ... You set the FormsAuth ticket on the Login_LoggingIn. ... cookie regardless of whether the user's authentication failed or not. ... Doens't the membership provider set a forms auth cookie for me ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Forms authentication cookie handling question (C#)
    ... programmatically generate forms authentication ticket and set it in ASP.NET ... You use the Login control's "Authentication" event to do the user ... LoginControl's default code logic to generate authentication cookie. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Forms authentication cookie handling question (C#)
    ... I also replaced all of my ticket authentication code with the ... // Username and or password not found in our database... ... LoginControl's default code logic to generate authentication cookie. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Forms authentication failed - ticket supplied has expired
    ... Forms authentication failed for the request. ... As for the ticket expired issue, is it frequently occuring or just occur ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Mystery Variable Change
    ... we all use different forms of authentication. ... authentication in past and you create a ticket which is stored in the ... >>> dim objconnection as New SqlConnection ... >>> end sub ...
    (microsoft.public.dotnet.framework.aspnet)