473,385 Members | 1,562 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,385 software developers and data experts.

Design Issue: Separating Application Security Model from the Application (Custom or User) Controls

Background:
When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is comprised of a DataGrid may have separate permissions for adding, deleting and updating a news item.

Problem
Up until now, I have been implementing security directly inside the control. I will test directly against the security model to see if permission is granted for each control permission. For example, the control may use something like

if (Page.User.IsInRole("fld")) {...}


The problem with this is that if I decide to use this control in another application that implements a different security model or want to change the security model, I need to change ever control I have built.

Goal
I would like to create my controls such that they are independent of any security model, yet implement security.

Some Thoughts
When I first thought about this issue, I figured I would just create a Boolean property for each control permission and set that property using the security model. However, many of my controls are dynamically loaded and I do not know what permissions to set at run time. I could create a security wrapper around each control, but this would add another level of abstraction that is cumbersome and results in almost the same problem.the security model being dispersed throughout all my code.

Proposed Solution
Here are some ideas on implementing a universal security model for all my own controls.

What if all controls where passed a standard .NET data structure such as a Sorted List that contained all of the current user permissions for all controls. The control itself would then check to see if the permission in the Sorted List exists for each of its own set of permissions, granting or denying permissions appropriately.

The job of the security model would simply be to create this Sorted List for the user. This list could be stored in a session cache (I created a custom class for session cache) and retrieved on demand.

To get a little elaborate, each custom control (or user control) could inherit from a base class that contains a "set permissions" method that receives the Sorted List of permissions and sets them for that control. In order for the "set permissions" method to know how to access the permissions of the control, each control could contain a sub-class with the same name (such as "permissionsclass") that contains a property for each permission in the control. (see pseudo code below) The "set permissions" method would then use class reflection to iterate through the permission properties of the permissionclass sub-class and set their permission properties based on whether or not the permission of the same name exists in the permissions Sorted List.

The permissions of the control could still be set manually, if that is necessary, by using dot access such as

controlclass1.permissionsclass.EditPermission=(tru e|false)



//Pseudo code for control class permission structure
class controlclass //control class
{
class permissionsclass //permissions sub-class
{

public EditPermission //permission
{
Set{.}
Get{.}
}

public DeletePermission
{
Set{.}
Get{.}
}

public UpdatePermission
{
Set{.}
Get{.}
}
}

}

This model would completely separate the security model from the control itself. The bridge between the security model and the control would be a standard .NET data structure, and therefore the control could be implemented in any application, regardless of the underlying security model. Since the permission could be set explicitly or via the Sorted List data structure, it gives the user of the control complete flexibility to how to set its permissions.

Does anyone have any thoughts on this, what's good and what's not, and any alternative solutions that might work better. I am just in the thinking phase and want to get on the right track from the beginning, if there is such a thing.

Thanks for your input

Earl

Nov 18 '05 #1
1 3312
a better solution would be the factory pattern. basically define an security interface your controls use. then use the factory pattern for the application to supply the security object (easy to have a default).

-- bruce (sqlwork.com)

"Earl Teigrob" <ea******@hotmail.com> wrote in message news:eE*************@TK2MSFTNGP12.phx.gbl...
Background:
When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is comprised of a DataGrid may have separate permissions for adding, deleting and updating a news item.

Problem
Up until now, I have been implementing security directly inside the control. I will test directly against the security model to see if permission is granted for each control permission. For example, the control may use something like

if (Page.User.IsInRole("fld")) {...}


The problem with this is that if I decide to use this control in another application that implements a different security model or want to change the security model, I need to change ever control I have built.

Goal
I would like to create my controls such that they are independent of any security model, yet implement security.

Some Thoughts
When I first thought about this issue, I figured I would just create a Boolean property for each control permission and set that property using the security model. However, many of my controls are dynamically loaded and I do not know what permissions to set at run time. I could create a security wrapper around each control, but this would add another level of abstraction that is cumbersome and results in almost the same problem.the security model being dispersed throughout all my code.

Proposed Solution
Here are some ideas on implementing a universal security model for all my own controls.

What if all controls where passed a standard .NET data structure such as a Sorted List that contained all of the current user permissions for all controls. The control itself would then check to see if the permission in the Sorted List exists for each of its own set of permissions, granting or denying permissions appropriately.

The job of the security model would simply be to create this Sorted List for the user. This list could be stored in a session cache (I created a custom class for session cache) and retrieved on demand.

To get a little elaborate, each custom control (or user control) could inherit from a base class that contains a "set permissions" method that receives the Sorted List of permissions and sets them for that control. In order for the "set permissions" method to know how to access the permissions of the control, each control could contain a sub-class with the same name (such as "permissionsclass") that contains a property for each permission in the control. (see pseudo code below) The "set permissions" method would then use class reflection to iterate through the permission properties of the permissionclass sub-class and set their permission properties based on whether or not the permission of the same name exists in the permissions Sorted List.

The permissions of the control could still be set manually, if that is necessary, by using dot access such as

controlclass1.permissionsclass.EditPermission=(tru e|false)



//Pseudo code for control class permission structure
class controlclass //control class
{
class permissionsclass //permissions sub-class
{

public EditPermission //permission
{
Set{.}
Get{.}
}

public DeletePermission
{
Set{.}
Get{.}
}

public UpdatePermission
{
Set{.}
Get{.}
}
}

}

This model would completely separate the security model from the control itself. The bridge between the security model and the control would be a standard .NET data structure, and therefore the control could be implemented in any application, regardless of the underlying security model. Since the permission could be set explicitly or via the Sorted List data structure, it gives the user of the control complete flexibility to how to set its permissions.

Does anyone have any thoughts on this, what's good and what's not, and any alternative solutions that might work better. I am just in the thinking phase and want to get on the right track from the beginning, if there is such a thing.

Thanks for your input

Earl

Nov 18 '05 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: Javaman59 | last post by:
This must be a common GUI design issue - whether to treat the GUI object which represents a thing as if it were the thing itself. I'll put it in the form which I've come across recently... I...
3
by: Earl Teigrob | last post by:
Background: When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is...
17
by: tshad | last post by:
Many (if not most) have said that code-behind is best if working in teams - which does seem logical. How do you deal with the flow of the work? I have someone who is good at designing, but...
7
by: Shimon Sim | last post by:
I have a custom composite control I have following property
3
by: George Jordanov Ivanov | last post by:
Folks, I am implementing a WebUserControl, which will have its own custom event StateChanged. Now, I want to add this event to the Events tab in the control properties, so that the users of my...
5
by: isideveloper | last post by:
I'm building a new C# web application that will provide my company some administrative operations that were previously only completed by tweaking the data in the database. 1. Encrypted password...
1
by: Griff | last post by:
Hi I'm not sure of the best way to go about achieving my goal and would appreciate any advice. What I would like to do is to generate a control that can be dropped onto a web page. For...
0
by: YellowFin Announcements | last post by:
Introduction Usability and relevance have been identified as the major factors preventing mass adoption of Business Intelligence applications. What we have today are traditional BI tools that...
4
by: Ken Fine | last post by:
I've been living with a frustrating issue with VS.NET for some months now and I need to figure out what the problem is. Hopefully someone has run into the same issue and can suggest a fix. I...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
0
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
0
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
0
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
0
BarryA
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.