Re: Best way to provide security when need a WindowsIdentity

for 2)

if you have to store the credentials - i would not recommend storing them in a db - use caching in the web server to cache them for a short period of time - don't cache the credentials in clear text.

for 3)

btw - you cannot have authentication mode=Forms AND Windows in the same application - keep that in mind.



---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi;

Suggestions please. This is for a portal that we will ship to multiple
customers so we need to make security as painless as possible while
still protecting them. This portal does reporting and therefore needs
to read files (xml) and databases (select only).

I see it falling into 3 categories:

1) All users are in the domain and all use IE as a browser. We can
then use windows authentication and all access of files and SSPI
database queries is done under the WindowsIdentity of the user.
SingleSignOn and uses the existing domain permissions - life is good.

2) Not all users are in ActiveDirectory - they may not even be on a
domain. In this case we use the asp.net user database and sign-on is
via forms. For reading a file (we only read) we give them the option
of: a) anything the server can read, b) they must enter a
username/password each time and we create that Windows user and then
read, c) They store a username/password with the filename as a
datasource in our database and we use that to create a user to read.
For DB access we do the same thing using %user% and %pass% in the
connection string. This is by definition a less secure world but I
don't see what else we can do.

3) All users are in active directory but some do not use IE and
therefore we can't require windows authentication. I believe we can
allow both windows and forms authentication so we are still in group
(1) for those using IE. But for the rest, it seems to me we have two
approaches when reading files/databases. a) We store the username &
password in memory (do not save anywhere!!!) and create a
WindowsIdentity to read. b) we run like item (2) above where we are
saving and/or prompting for a username/password for accessing data. It
seems to me the safer of these two is (a) because we are storing the
password in memory only. But choice (b) can be user/pass that have
very limited permissions so in that case, while they could be saved in
our database, they are not a user's credentials.

???



.

Relevant Pages

  • Re: Data Files
    ... snip ... ... > In my file I need to store the following (mainly for a small ... > database): ... fixes many of the shortcomings of Windows 98 SE". ...
    (comp.lang.c)
  • Re: Windows mail can compact the message store.
    ... When Windows compacts the message store(or index) it is actually only doing ... Let it do the compaction to free up space. ... store (database) compaction. ...
    (microsoft.public.windows.vista.mail)
  • Looking for Tips: How to create a SQL CE database in a Windows Application and transfer it to a Pock
    ... I have a Windows Application where I collect data. ... After working with the data in the Pocket PC I want to transfer it back to ... I store it in an Oracle database. ...
    (microsoft.public.dotnet.framework.compactframework)
  • Re: Binary of flat File VS CE Database ?
    ... > I have read about the CE database properties and functions in Windows Ce. ... > and more that I should go with a binary file. ... That way I could store ...
    (microsoft.public.pocketpc.developer)
  • Re: Binary of flat File VS CE Database ?
    ... > I have read about the CE database properties and functions in Windows Ce. ... > and more that I should go with a binary file. ... That way I could store ...
    (microsoft.public.windowsce.app.development)