Re: Security and Audit functionality
From: Prodip Saha (psaha_at_bear.com)
Date: 05/25/04
- Next message: Marcio Kleemann: "Re: Session expiration and authentication"
- Previous message: Wm. Scott Miller: "Re: Machine.Config -- ProcessModel vs Impersonation"
- In reply to: MattC: "Security and Audit functionality"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 25 May 2004 09:14:32 -0500
Security is something very important and most of us(developers) normally
don't pay attention at the beginning. PreRequestHandlerExecute event in the
Global.cs file is a good place to validate the user. Visual Studio .NET by
default don't add this event handler in the Global.cs file so you will have
to add it. One must pass through this event handler for every http request
and it is easy to get the url and other user related information in this
event.
To extend this further--you can even find out who is accessing what page and
when....don't like user X redirect him/her to a designated page...the list
can go on.
protected void Application_PreRequestHandlerExecute(Object sender, EventArgs
e)
{
string sUrl=HttpContext.Current.Request.RawUrl;
if(sUrl.LastIndexOf("/")!=0)
{
sUrl=sUrl.Substring(sUrl.LastIndexOf("/")+1);
}
string sUserName=HttpContext.Current.User.Identity.Name;
}
Hope that helps.
Prodip Saha
"MattC" <m@m.com> wrote in message
news:udQClBkQEHA.3732@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> I have a requirement that security be devised at page level, I'm am also
> required to keep an audit trail of who performed what action, when and
what
> on.
>
> My current solution is as follows:
>
> Create 5 DB tables: Users, SecurityProfiles, SystemTasks,
TasksProfileLinks,
> Audit.
>
> For this to work each user is given a securityprofileID, a security
profile
> is told which SystemTasks can be performed (via the TasksProfileLinks
> table). As each ASPX page loads it will have hardcoded the name of the
> Systemtasks it is designed to perform. It will then take the current
> sessions SecurityProfileID and determine if this user is allowed to view
the
> page, if not then a redirect takes place and the UserID, SystemTask,
> DateTime are entered into the audit table.
>
> Although this would work, it does require that each page knows ahead of
time
> what its SystemTask name is.
>
> Has anyone done something similar to this before and have a better
> implementation.
>
> Thanx in advance.
>
> Matt
>
>
- Next message: Marcio Kleemann: "Re: Session expiration and authentication"
- Previous message: Wm. Scott Miller: "Re: Machine.Config -- ProcessModel vs Impersonation"
- In reply to: MattC: "Security and Audit functionality"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
