Re: Reg Role BAsed security..
From: Madan Nayak (madan_at_ubicsindia.com)
Date: 02/11/04
- Next message: Brian Watkins: "How can I list all the users in a particular security group with ASP.NET?"
- Previous message: John W.: "Impersonation fails after upgrade to .NET 1.1 Framework"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Reg Role BAsed security.."
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Reg Role BAsed security.."
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Reg Role BAsed security.."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 11 Feb 2004 20:40:39 +0530
Hi Joe.
I have used Role based security with Custom Principal.
My question is the same security I can achive by using session.
So what are the advantages of using rolebased security..over using session..
I know few advantages.. Like it is a better programatic approach... Only I
have to check IS InRole()....
What else...
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:O2CTow%237DHA.2056@TK2MSFTNGP10.phx.gbl...
> I'm not saying you have to use the IPrincipal class, I'm just suggesting
> that you should use it where appropriate.
>
> With IPrincipal, you get a lot more support from the Framework. For
> example, if you use Windows authentication in IIS, the IPrincipal in the
> current HttpContext will already contain a WindowsPrincipal that has all
of
> the user's domain groups in it. You don't have to do anything.
IPrincipal
> lets you use the PrincipalPermission class as well as the
> PrincipalPermissionAttribute class, so that you you can just add
attributes
> to you code to allow access.
>
> IPrincipal integrates with the UrlAuthorizationModule, so you can allow
and
> deny access to various resources in your ASP.NET application via the
> <allow/> and <deny/> tags in web.config.
>
> Finally, IPrincipal is associated with the currently executing thread, so
> you can get the IPrincipal associated with the request from components
that
> have no reference to your ASP.NET code or session variables by simply
> calling Thread.CurrentThread.CurrentPrincipal (or using the
> PrincipalPermission or PrincipalPermissionAttribute classes). Thus if
your
> code is factored into several tiers (as is the generally recommended .NET
> application architecture), you still have all of these role-based security
> services available to you.
>
> You don't get any of that extra support by simply having a function and
> using session variables.
>
> It is still possible to store your role-information in session state if
you
> like. In that case, the general practice is to handle the
> Application_AuthenticateRequest event in global.asax and create the
> IPrincipal object based on your stored groups in that function. Thus it
is
> very easy to integrate into the .NET role-based security framework. You
can
> also do this in an HttpModule very easily. This isn't really
significantly
> more work than writing a function to check group membership.
>
> So, I'm not saying that you have to use IPrincipal. I'm simply suggesting
> that there are some compelling benefits you get from using the APIs the
way
> they were intended and it isn't very difficult to integrate with the
system.
>
> HTH,
>
> Joe K.
>
> ".NET Follower" <amitagarwal-NET@SoftHome.net> wrote in message
> news:u%23GCH467DHA.2560@TK2MSFTNGP09.phx.gbl...
> > just as there is a method of USer.IsInRole
> > to check whom to give access..
> > we can even write our method
> > like the above
> > so we will retrieve from session the groups and check in the function
> > whether the user belongs to the group
> >
> > so there is no need of the Pricipal classes and stuff????/
> >
> > please clarify??
> >
> > --
> > Thanks and Regards,
> >
> > Amit Agarwal
> > Software Programmer(.NET)
> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
wrote
> > in message news:%2353G$oy7DHA.2832@tk2msftngp13.phx.gbl...
> > > Role-based security in .NET allows you to allow or deny access to
> > > functionality within your code based on a user's identity and role
> > > membership. ASP.NET session state is just a storage container for
data
> > > associated with a given web session.
> > >
> > > Role-based security in .NET is deeply embedded in the API. This is
> > evident
> > > through the System.Security.Principal namespace, PrincipalPermission
and
> > > PrincipalPermissionAttribute classes, and Thread.CurrentPrincipal
> member.
> > > There is also strong integration support for it in ASP.NET, both with
> > > Windows authentication and Forms authentication with the
FormsPrincipal
> > > class.
> > >
> > > So, essentially I would tell you to use role-based security when it is
> > > appropriate. This will give you the most consistent method of using
> > > role-based security and allow you to take advantage of all of the
> built-in
> > > platform service support for it. If your web application requires it,
> it
> > is
> > > certainly okay to store your principal information in Session state in
> > order
> > > to save extra lookups to the store, so you may use the two together.
> You
> > > may also use the cache for this.
> > >
> > > I hope that helps some. If you have more detailed questions, please
> ask.
> > >
> > > Joe K.
> > >
> > > "Madan Nayak" <madan@ubicsindia.com> wrote in message
> > > news:uPAZMrv7DHA.1804@TK2MSFTNGP12.phx.gbl...
> > > > Hi Amit..
> > > >
> > > > I just want to know why should I go for the role base securrity,
which
> I
> > > can
> > > > achieve by using sessions?
> > > >
> > > > I think I am now much clear.
> > > >
> > > > Thanks In Advance.
> > > > Madan
> > > >
> > > > ".NET Follower" <amitagarwal-NET@SoftHome.net> wrote in message
> > > > news:%23Ehnzbu7DHA.3880@tk2msftngp13.phx.gbl...
> > > > > actually what prob r u having
> > > > > can u state that
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Thanks and Regards,
> > > > >
> > > > > Amit Agarwal
> > > > > Software Programmer(.NET)
> > > > > "Madan Nayak" <madan@ubicsindia.com> wrote in message
> > > > > news:uvXpptt7DHA.2416@TK2MSFTNGP10.phx.gbl...
> > > > > > Hi
> > > > > >
> > > > > > Does Any one fom microsoft tell me the design goal of rolebased
> > > security
> > > > > in
> > > > > > .Net framewor???
> > > > > >
> > > > > >
> > > > > > ".NET Follower" <amitagarwal-NET@SoftHome.net> wrote in message
> > > > > > news:%23Yw4khT7DHA.2044@TK2MSFTNGP10.phx.gbl...
> > > > > > >
> > > > > > >
> > > > > > > ya u can use sesssion with role based security ,
> > > > > > >
> > > > > > > just put roles from database into session and retrieve roles
> when
> > > > > required
> > > > > > > ....
> > > > > > > any further help is welcomed
> > > > > > >
> > > > > > > even 4guys from rolla has good articls
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > http://www.eggheadcafe.com/articles/20020906.asp
> > > > > > >
> > > > > > > --
> > > > > > > Thanks and Regards,
> > > > > > >
> > > > > > > Amit Agarwal
> > > > > > > Software Programmer(.NET)
> > > > > > > "Madan Nayak" <madan@ubicsindia.com> wrote in message
> > > > > > > news:eK0FgYH7DHA.1816@TK2MSFTNGP12.phx.gbl...
> > > > > > > > Hi All..
> > > > > > > >
> > > > > > > > Can any body detail out the basic
diff/advatages/disadvantage
> > over
> > > > > > > acheiving
> > > > > > > > the role based security and the same thing in case of
acheived
> > > > through
> > > > > > > > session.....
> > > > > > > >
> > > > > > > >
> > > > > > > > Thnaks
> > > > > > > > Madan
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ---
> > > > > > > Outgoing mail is certified Virus Free.
> > > > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > > > > > Version: 6.0.580 / Virus Database: 367 - Release Date:
2/6/2004
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > ---
> > > > > Outgoing mail is certified Virus Free.
> > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > > > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
> >
> >
>
>
- Next message: Brian Watkins: "How can I list all the users in a particular security group with ASP.NET?"
- Previous message: John W.: "Impersonation fails after upgrade to .NET 1.1 Framework"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Reg Role BAsed security.."
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Reg Role BAsed security.."
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Reg Role BAsed security.."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
