Shared security for ASP.NET and non-ASP

From: baylor (baylor_at_discussions.microsoft.com)
Date: 06/08/05

• Next message: baylor: "RE: Shared security for ASP.NET and non-ASP"
• Previous message: baylor: "RE: How to hash a file stream?"
• Next in thread: baylor: "RE: Shared security for ASP.NET and non-ASP"
• Reply: baylor: "RE: Shared security for ASP.NET and non-ASP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 7 Jun 2005 15:58:02 -0700

This might be an FAQ... i have a working security system to authenticate and
authorize various things in an ASP.NET app. When the user logs in i use the
MSEL SAB to get an IPrincipal. Windows store the IIdentity part of it in a
cookie (which seems silly). i create a UserSecurityProfile object that
contains the IPrincipal plus a bunch of other stuff we need that the
IPrincipal doesn't have and store that in Session

All of our business objects have security, meaning they grab your
UserSecurityProfile from Session. They could grab Thread.CurrentPrincpal but
that won't have any role data because .NET silently throws it away for
whatever reason. Oh well, we need a little more than role data too, although
not that often

We're writing batch jobs that will use our business objects. Which is a
problem because it's not a Web app which means no Session which means no
UserSecurityProfile

There are a variety of ways i can solve this. i can just let Windows pass
around the IIdentity portion of the IPrincipal and make the ~5 database calls
(across two databases) to load the other info every time i need it. i can
store the security profile in a database as a blob instead of using Session.
While i'm not sure, there might be a way to force Windows &/or .NET to keep
the role info (if it were just ASP.NET i could manually write the security
cookie)

i'm not sure which approach is best but i'm guessing plenty of people have
run into this sort of thing before. Ideas?

-baylor

---

• Next message: baylor: "RE: Shared security for ASP.NET and non-ASP"
• Previous message: baylor: "RE: How to hash a file stream?"
• Next in thread: baylor: "RE: Shared security for ASP.NET and non-ASP"
• Reply: baylor: "RE: Shared security for ASP.NET and non-ASP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Desktop Creation ... Your statement only gives one small piece of the security picture. ... The reason for no desktop window access by services is that an unsecured ... session 1 and communicate with an IPC with the SYSTEM service. ... API evolution. ... (microsoft.public.win32.programmer.kernel) Re: Access 2002 Security on multiple workstations ... I realize Access security is an advanced subject ... Best to put the front-end database on each PC and leave the back-end ... > object in the app. ... because you've changed the default workgroup being used by Access. ... (comp.databases.ms-access) [UNIX] TWiki Arbitrary Code Execution in Session Files ... Get your security news from a reliable source. ... TWiki Arbitrary Code Execution in Session Files ... or via an HTTP vulnerability of a third party web application. ... (Securiteam) Re: Application Role ... I am finding using an application role useful for my current app. ... integrated security in order to provide a sinlge log on to the IT ... number of problems - you cant see who is on the database, ... (microsoft.public.sqlserver.security) Re: Desktop Creation ... If I must store a secret I use CryptProtectDataAPI. ... But I don't understand what the resource creation is a potential security ... CreateDekstopuse the attached window station of the processus that call ... session 1 and communicate with an IPC with the SYSTEM service. ... (microsoft.public.win32.programmer.kernel)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)