Hi,
I've been tasked with reviewing the Authentication and Auditing of an
application and database.
ASP/ASP.NET 1.1 app with SQL Server 2000 database. Separate audit trail
database on same server.
The system is intranet based and currently uses Basic Authentication on
IIS6. The application itself is mostly classic ASP, but has been
migrated into a .NET 1.1 Framework Project. So there are both .asp and
..aspx pages. We have auditing triggers on the tables in the database,
but the wrong username or no username are currently being inserted.
Authenticated users have logons to db with full DML permissions
We now have Active Directory. Most of the data access is done through a
SQLXML virtual directory using templates,schem as and updategrams. This
is using a shared login, so no user info is coming through to
SUSER_SNAME().
We intend to swap from Basic Authentication to Integrated Windows
Authentication.
Basically I want to get the real username available to the triggers in
SQL Server. I also want to tighten up the security. I am unsure what I
need in terms of impersonation, application roles or shared database
role etc. I don't have the resources for a complete redesign, but could
probably do some significant changes if necessary.
My initial stab would be use Integrated Windows Authentication on IIS
and SQLXML Virtual Directory. I think that means that I need to enable
Impersonation for the aspx pages (the asp pages should impersonate by
default ??). I should then enable an app role in the templates??? Can
you use app roles with updategrams???? Also, given that the triggers
reference a separate audit trail database, wouldn't an app role limit
access to this?
The other option is to use a shared db login for everyone and pass the
actual username in as a parameter, but that would seem to require
changes to every single query/sp in the database/app.
I'm not sure that I explained myself very well above. Hope someone can
help me figure this out! There are perhaps 2 issues here. I need to get
the authenticated user's name through to the audit table with the
minimum of fuss. 2 - I'd like to stop every man and his dog having
write access to all the tables in the database via ODBC.
Oh, I haven't mentioned app authorisation - that bit seems fine! A
table in the database.
Cheers,
James
0  1677  This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Keith |
last post by:
Not sure if anyone in here knows the answer to this, but I asked in a SQL
group and haven't had a suitable answer and since the front end app is ASP I
though I'd give here a try.
I am trying to create a simple trigger in my SQL DB so that when a record is
updated or deleted a copy of the original record is placed in an audit
table.
However, I keep getting the following error:
|
by: sorin |
last post by:
I developed some simple ASP 3.0 pages to add some operative functionality to
my app. I configured IIS to use windows integrate authentication for this
pages and it's working just fine.
For security reasons (audit) I need to trace down the username that
requested this page. I already have a custom service called from ASP page
that trace down some data I need. It's there a way to find out what is the
windows username that requested the...
|
by: Paulo Jan |
last post by:
Hi all:
Let's say I'm designing a database (Postgres 7.3) with a list of all
email accounts in a certain server:
CREATE TABLE emails (
clienteid INT4,
direccion VARCHAR(512) PRIMARY KEY,
login varchar(128) NOT NULL,
|
by: Anonieko Ramos |
last post by:
ASP.NET Forms Authentication Best Practices
Dr. Dobb's Journal February 2004
Protecting user information is critical
By Douglas Reilly
Douglas is the author of Designing Microsoft ASP.NET Applications and
owner of Access Microsystems. Doug can be reached at
doug@accessmicrosystems.com.
--------------------------------------------------------------------------------
|
by: nicholas |
last post by:
I'm using role based forms authetication with user-info in a database.
I used this with a SQL database (sql 2000 server) and it worked 100%.
Now, I want to use the same code, but with a database in MS Access Xp.
If I insert a wrong login or pass on the login page, the error message
appears.
But when I insert the right login and pass, I'm not redirected to the index
page, it just reloads the login-page.
| | |
by: Jonas |
last post by:
Hi!
I'm developing the middletiers of an ASP.NET application in VB.NET. I've got
a business logic layer in which I would like to perform auditing to a
database. Instead of making an auditing call in every method of my classes,
would it be a workable way to implement IDisposable in the base class to all
the BLL-classes and then in the Dispose method to do the audit call? Do I
then have to make sure that all uses of the BLL-classes end...
|
by: Rico |
last post by:
Hello,
I'm creating an audit table and associated triggers to be able to capture
any updates and deletes from various tables in the database. I know how to
capture the records that have been updated or deleted, but is there any way
that I can cycle through a changed record, look at the old vs new values and
capture only the values that have changed?
To give you a better idea of what I'm trying to do, instead of creating a
copy of the...
|
by: libra786 |
last post by:
I have created a blog and have added a login box which prompts the user for login and id before posting- The username and password have been stored in the database, however when i enter the username and pasword it does not seem to compare the values entered with anything. It jus keeps giving the prompt box to enter details. But if i click cancel, then it tels me the incorrect credentials ave been entered i have tried many ways to solve this...
|
by: BiffMaGriff |
last post by:
Hello,
I have a .net web app with an Oracle back end and I need to audit my database. I created this template trigger that I was using on inserts, edit & deletes however...
"CREATE OR REPLACE TRIGGER {0}.BIUD_{3}
BEFORE INSERT OR UPDATE OR DELETE ON {0}.{2}
REFERENCING OLD AS OLD NEW AS NEW
FOR EACH ROW
BEGIN
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
