473,320 Members | 2,117 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Role-based security for an ASP/ASP.NET mixed environment

Role-based security for an ASP/ASP.NET mixed environment

Hello:

My co-worker and I have been charged with designing role-based security
for our intranet. The technologies we have to work with are ASP and
ASP.NET. This security design must support *both* technologies.
Currently, we have a successful collection of both ASP and ASP.NET
applications with an identical look and feel; you'd only know they are
different by virtue of an ASP or and ASPX file extension. These
applications all support a common authentication scheme implemented
through cookies. This scheme is simple and very low-security: check
for a "userID" cookie with a well-known name. While we plan to tighten
this up (using some sort of encrypted token/userID combo), our problem
lies in how we need to use roles.

If this were a pure ASP.NET site, I don't think we'd have as much
trouble as I anticipate, however we need to support the classic ASP
side as well. We plan on implementing the actual application security
roles in Active Directory groups with well-known names. For example,
"East Coast Office Project Editor" and "Checking Account
Administrator". Although individual users will (optimally) most likely
be placed in only one group (e.g. "Central Office, Dept. B, Teller
Position 3"), through multiple group containment they could conceivably
be indirect members of hundreds of application roles. The problem I
foresee is that of performance. For a highly role-based application,
each page refresh is going to have to ask whether the current user is a
member of roles A, B, F, Q, and X; this in order to allow or deny
access to the page itself, certain sections, edit or read-only, and
even field-level access. So, I'm worried that it may not be the best
idea to be directly querying AD 10, 20 times on every page refresh.
Assuming that this scenario is not acceptable, I would think the only
other way is to somehow cache the collection of direct and indirect
roles to which the logged-in user is a member.

At this point, I have to think of the best way to do this not only for
ASP.NET, but also for ASP. Ignoring ASP, I suppose there is the
possibility of performing this query for all the user's roles and then
stuffing this in a session-based dictionary/hashtable/whatever for
quick lookup. Then, if the user is a member of 100s of roles, I have
to worry about 40-50 concurrent sessions, each with all these roles.
What kind of performance am I going to get out of session with this
much data? Ignoring that, how do I implement the same thing in ASP?

At this point, you may be thinking I'm an amateur ... and I certainly
would not disagree with you, at least from a security standpoint. So I
think about how exactly these roles are "queried" by the application.
While having the list easily at hand while the page is executing, I
figure the only question that has to be answered (granted, many times
in succession) is "Is the current user a member of role QPR?" I don't
ever really need to have a list of roles and I don't need to go through
the list and display their names. Mainly, I just need this very simple
boolean pseudo code: "IsMember( userName, roleName )". Again here,
please don't flame me for my amateurishness, but isn't there a way to
encode or encrypt those group names with the user name into a
relatively small block of data and just "query" the block with the user
name and group name and get back a yes or no if they "jive"? Is this
what's called a hash or a token? Or does this even exist?

If I'm not making myself clear here, I mainly want to take a user and
the known groups of which s/he is a member. Then, mathematically or
cryptographically "melt" them all together into a small block of data
for storage and easy querying. The pseudo code would look something
like IsMember( userName, groupName, AUTHORIZATION_BLOCK ) and get back
a boolean. The AUTHORIZATION_BLOCK would be this "melted" block of
data that was created from the combination of the user and the groups.
This AUTHORIZATION_BLOCK would be small enough to fit into ASP session,
which I've heard it is dangerous to store objects to.

Am I over-engineering here? Am I looking for the wrong thing? Are the
multiple queries to AD for every page refresh not as expensive as I
think it will be?

--
Thanks,
Chris

Apr 20 '06 #1
7 2980
Not that you didn't explain things well and please take no offense.
But I think you will find that no one in the newgroups is usually interested
in trying to answer huge questions like that.

Thats a lot to read and a lot to think about and yes I did read it.
This place is more for things like having trouble with a bit of code.

Take Care
"nugget" <ne***************@netchris.com> wrote in message
news:11*********************@v46g2000cwv.googlegro ups.com...
Role-based security for an ASP/ASP.NET mixed environment

Hello:

My co-worker and I have been charged with designing role-based security
for our intranet. The technologies we have to work with are ASP and
ASP.NET. This security design must support *both* technologies.
Currently, we have a successful collection of both ASP and ASP.NET
applications with an identical look and feel; you'd only know they are
different by virtue of an ASP or and ASPX file extension. These
applications all support a common authentication scheme implemented
through cookies. This scheme is simple and very low-security: check
for a "userID" cookie with a well-known name. While we plan to tighten
this up (using some sort of encrypted token/userID combo), our problem
lies in how we need to use roles.

If this were a pure ASP.NET site, I don't think we'd have as much
trouble as I anticipate, however we need to support the classic ASP
side as well. We plan on implementing the actual application security
roles in Active Directory groups with well-known names. For example,
"East Coast Office Project Editor" and "Checking Account
Administrator". Although individual users will (optimally) most likely
be placed in only one group (e.g. "Central Office, Dept. B, Teller
Position 3"), through multiple group containment they could conceivably
be indirect members of hundreds of application roles. The problem I
foresee is that of performance. For a highly role-based application,
each page refresh is going to have to ask whether the current user is a
member of roles A, B, F, Q, and X; this in order to allow or deny
access to the page itself, certain sections, edit or read-only, and
even field-level access. So, I'm worried that it may not be the best
idea to be directly querying AD 10, 20 times on every page refresh.
Assuming that this scenario is not acceptable, I would think the only
other way is to somehow cache the collection of direct and indirect
roles to which the logged-in user is a member.

At this point, I have to think of the best way to do this not only for
ASP.NET, but also for ASP. Ignoring ASP, I suppose there is the
possibility of performing this query for all the user's roles and then
stuffing this in a session-based dictionary/hashtable/whatever for
quick lookup. Then, if the user is a member of 100s of roles, I have
to worry about 40-50 concurrent sessions, each with all these roles.
What kind of performance am I going to get out of session with this
much data? Ignoring that, how do I implement the same thing in ASP?

At this point, you may be thinking I'm an amateur ... and I certainly
would not disagree with you, at least from a security standpoint. So I
think about how exactly these roles are "queried" by the application.
While having the list easily at hand while the page is executing, I
figure the only question that has to be answered (granted, many times
in succession) is "Is the current user a member of role QPR?" I don't
ever really need to have a list of roles and I don't need to go through
the list and display their names. Mainly, I just need this very simple
boolean pseudo code: "IsMember( userName, roleName )". Again here,
please don't flame me for my amateurishness, but isn't there a way to
encode or encrypt those group names with the user name into a
relatively small block of data and just "query" the block with the user
name and group name and get back a yes or no if they "jive"? Is this
what's called a hash or a token? Or does this even exist?

If I'm not making myself clear here, I mainly want to take a user and
the known groups of which s/he is a member. Then, mathematically or
cryptographically "melt" them all together into a small block of data
for storage and easy querying. The pseudo code would look something
like IsMember( userName, groupName, AUTHORIZATION_BLOCK ) and get back
a boolean. The AUTHORIZATION_BLOCK would be this "melted" block of
data that was created from the combination of the user and the groups.
This AUTHORIZATION_BLOCK would be small enough to fit into ASP session,
which I've heard it is dangerous to store objects to.

Am I over-engineering here? Am I looking for the wrong thing? Are the
multiple queries to AD for every page refresh not as expensive as I
think it will be?

--
Thanks,
Chris

Apr 21 '06 #2
Hello Chris,
I too am attempting to create a role-based authentication system for a site that will use classic ASP and ASP.NET.

I have been under the impression that I am going to have to write for the lowest common denominator - ASP.

What I was planning to do was use was cookies or session to store an array of IDs and associate boolean values - (i.e. Permission #1: Can user do X? Value: Yes represented as 1,Yes). That array would be serialised and stored, and would need to be retrieved on each check.

I'm planning to use an include at the top of every page that will need to reference permissions to de-serialise the string of permissions and allow me to look up the appropriate permission based on the array index.

The benefit of this method is that the permissions only need to be retrieved from the database once per session (on login) - so no potentially expensive AD queries - and in a page where there might be up to 20 permissions checks - the lookups can be performed against a pre-built array.

Hope you went well with yours. Wish me luck!
---
Posted via www.DotNetSlackers.com
May 8 '06 #3
Yah, that's pretty much what we figured. Indeed, ASP was the LCD and I
think we were prematurely afraid of using Session in that environment.
All the reading I've done only warns against storing COM object in ASP
Session. Anyway, yes some sort of array or dictionary in Session I
think is going to do it for us. We'll still be using AD, but we'll
probably do an initial query to populate the session for both ASP and
ASP.NET and then leave the AD server alone for the rest of the session
or until we need to manually repopulate roles.

Thanks for the reply and I'm glad I'm not the only one out here trying
to do this.

May 16 '06 #4
nugget wrote:
Yah, that's pretty much what we figured. Indeed, ASP was the LCD and
I think we were prematurely afraid of using Session in that
environment. All the reading I've done only warns against storing COM
object in ASP Session. Anyway, yes some sort of array or dictionary
in Session I think is going to do it for us.


not Dictionary, I hope. Use a free-threaded XML Domdocument.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
May 16 '06 #5
Oh no? Why no Dictionary?

May 16 '06 #6
nugget wrote:
Oh no? Why no Dictionary?


Threading issues. It is a COM object and worse, an apartment-threaded COM
object.
http://www.aspfaqs.com/aspfaqs/ShowFAQ.asp?FAQID=129
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
May 16 '06 #7
Good to know. Thanks. I'll use the free-threaded XML document as you
suggest.

May 16 '06 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: tracy | last post by:
hi, just wonder, can we copy a role then add some new priviledges to the new role. hm.. i means, example; now i have a role named role_a. Then I copy role_a to create role_b. After I created...
2
by: Ted | last post by:
How do I grant all privileges for a schema that has a large number of existing tables, procedures, functions, etc to a newly created role, without having to issue a grant statement for each object...
1
by: Tom Dauria | last post by:
I have a SQL database with an Access front end. In the database I have a read only and a read write role. When a read only user opens the database I want all the fields on the form to be locked...
2
by: gudia | last post by:
How would I, using a sql script, copy permissions assigned to a user or a role in one or more databases to another user or a role in their respective databases? Help appreciated
8
by: Mark White | last post by:
Hey everyone I'm having a great deal of problems finding this information through google and yahoo, so I turn to you on this. I have a Windows app running on XP. I am able to caputre the...
0
by: ferherra | last post by:
Hi, Hope someone can help... I databind my gridview (asp.net 2.0) like this: GridView1.DataSource = Membership.GetAllUsers(); (MembershipUserCollection) GridView1.DataBind(); In the...
1
by: CK | last post by:
Does anyone have any experience with this? We have an exisitng sql database with user and role info. I need to write a custom role provider to use this data. Does anyone have any examples of this...
4
by: cybertoast | last post by:
i seem to have some misunderstanding about how roles work in sql server 2005. i see that i can add a role to a database (dbname->->properties->permissions->. THis allows me to add either users or...
3
by: Jo | last post by:
Hi, I know how to create membership user and to define role via "Administer website" in design mode of e.g. an ASP.NET login control. My questions are: 1) how to create a membership user...
2
by: Anthony Smith | last post by:
I have a user object that is set when a user logs in. There are also permissions that I get about the user from a web service. Currently I take the results from those web services and store them as...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.