473,385 Members | 1,867 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > role based security question

Join Bytes to post your question to a community of 473,385 software developers and data experts.

Role Based Security Question

Questions about Role Based Security in ASP.Net:

I have a few questions about role based security in an ASP.Net application.
Below are some points about our system:

- We have a hierarchical roles system stored in a database.
- We are also using Windows for authentication.
- Page - Role relationships are also held in a database.
- We have created a shared assembly for ease of use in applications.

Here are the goals we are trying to accomplish:

1. - If a page (i.e. /Dir1/Dir2/Page1.aspx) has not been entered into our
system for the given application (i.e. /App1), throw an exception and let the
application handle it. 2. - If a user is not in a role that is defined for
the current page, throw an exception and let the application handle it. 3. -
If two sibling roles (our roles are established in a hierarchy) have access
to the same page, allow the application to use this construct to control page
layout for different roles:

If User.IsInRole("RoleName1") = True Then
pnlRole1.Visible = True
ElseIf User.IsInRole("RoleName2") = True Then
pnlRole2.Visible = True

Here is our current approach to solve each of these:

For Goal 1, load all the Application Pages into the Application object on
Application_Start and check the page for existence on each
Application_BeginRequest. For Goal 2, load all the roles the user is in and
the pages the user has access to into the Session object on Session_Start.
For Goal 3, load the roles into the IPrincipal interface to allow users to
use User.IsInRole("RoleName").

Here are the questions:

Do you think this is the best way? We are trying to minimize calls to the
database. We plan on testing this solution, and another solution using only
calls to the database and not storing data in the session or application
objects. Then use ACT to performance test each solution.

We plan on placing the code/shared assembly into an HTTP Module that
attaches to global events like Session Start, Application Start,
AcquireRequestState, and etc. to check for security access. Is there any
better way?

Is there anything else we should check into?

TIA, Mike Logan

Nov 19 '05 #1
3 1989
I suggest redirecting to a specific page instead of throwing an exception.
Nov 19 '05 #2

"Mike Logan" <Mi*******@community.nospam> wrote in message
news:96**********************************@microsof t.com...
<snip>
For Goal 1, load all the Application Pages into the Application object on
Application_Start and check the page for existence on each
Application_BeginRequest.
Not a good idea. With this approach, you'll need to restart the application
in order to get a newly added page to be properly handled after its
permissions have been set in the db. Either store the data in a cache
that's invalidated when the db is updated, add an administrative means to
repopulate the collection, or don't cache at all. Also, you might want to
keep in mind that maintenance of the cache may also affect overall
performance of the application, particularly if the number of pages is very
large.

For Goal 2, load all the roles the user is in and
the pages the user has access to into the Session object on Session_Start.
Thereby allowing a user to maintain elevated permissions simply by keeping a
long session even if you've locked them out via the db? Again, not
generally a good idea. Also, any given legitimate user will place requests
relatively seldom (usually not more than one or two per minute in most
applications). Keeping a large permissions set in session state to handle
infrequent requests might not give you quite the performance advantage you
might expect. <g>

For Goal 3, load the roles into the IPrincipal interface to allow users to
use User.IsInRole("RoleName").
Fine, but when? As with the user-specific permission set, allowing the
cached roles to be persisted for too long could expose the site to
unintended use by users whose permissions have been decreased since their
sessions started.

Here are the questions:

Do you think this is the best way?
We are trying to minimize calls to the
database.
As suggested above, just make sure you don't compromise security or
useability to get there.

We plan on testing this solution, and another solution using only
calls to the database and not storing data in the session or application
objects. Then use ACT to performance test each solution.

We plan on placing the code/shared assembly into an HTTP Module that
attaches to global events like Session Start, Application Start,
AcquireRequestState, and etc. to check for security access. Is there any
better way?

Is there anything else we should check into?

TIA, Mike Logan

Nov 19 '05 #3
Thanks for Nicole's informative suggestions.

Hi Mike,

As for the questions you mentioned, here are some of my understandings and
suggestions:
Q1: If you do need to manually do the checking, I think Nocole's suggestion
on using the Application Cache instead is reasonable.

Q2: Q3:

I think Q2 and Q3 should be the same, generally if you're using the Form
Based Authenticatoin, we'll store a user's roles info into the
cookie(Authentication ticket) at the time the user logon, and then in each
of a user's sequential request, we retrieve the roles from the cookie and
set them into the IPrincipal (current User) object in application's
Authenticate Request event. However, since you're using Windows
Authentication rather than forms authentication and you store the roles at
session start into the user's sessionstate, we may need to change the
approach. I think if we store the roles in SessionState, it would be better
that we no longer use the IPrinciple object , and just checking roles from
the SessionState when we need to do authoriztion in each page's initial
time. This will avoid the overhead on retrieving roles from sessionstate
and set into request's current Principal object.( Also, as Nicole
mentioned, when to set it is a
problem).

Just some of my suggestions. If you have any other ideas or questions,
please feel free to post here.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)





Nov 19 '05 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
Developing role-based security question
by: craig | last post by:
I am working on my first .NET development project that involves custom role-based security per the project requirements. This lead to a general design issue this week that really caused us some...
.NET Framework
0
Role Based Security Issue
by: ChrisB | last post by:
Hello: I am a member of a team creating a .NET application, and we seem to have run into an issue when trying to implement role based security. Our application makes use of a fairly common...
.NET Framework
4
threading and Principal question - from Role-based security to declarative security.
by: hazz | last post by:
If I successfully run a VS.NET app which includes the following; ************************** APP 1 **************************** m_iIdnt = new...
C# / C Sharp
2
Role-based security: Access the role of current user
by: Jesper Stocholm | last post by:
I have implemented role-based security within my ASP.Net application. However, it seems the role is not passed to the authentication ticket I create. I want to use it to display/hide some...
ASP.NET
0
Role-Based Security: ACLs and Role Hierarchies
by: Liet Kynes | last post by:
I'm new to the .NET security framework, and I pose the following questions: 1) According to the documentation I've read .NET is promoting a role-based security model centered around IPrincipal....
ASP.NET
1
Role Based Security Question
by: Mike Logan | last post by:
Questions about Role Based Security in ASP.Net: I have a few questions about role based security in an ASP.Net application. Below are some points about our system: - We have a hierarchical...
ASP.NET
8
Role of current windows login user
by: Mark White | last post by:
Hey everyone I'm having a great deal of problems finding this information through google and yahoo, so I turn to you on this. I have a Windows app running on XP. I am able to caputre the...
C# / C Sharp
7
Role-based security for an ASP/ASP.NET mixed environment
by: nugget | last post by:
Role-based security for an ASP/ASP.NET mixed environment Hello: My co-worker and I have been charged with designing role-based security for our intranet. The technologies we have to work with...
ASP / Active Server Pages
6
XmlSiteMapProvider: How to hide siteMapNode to a certain role?
by: Max2006 | last post by:
Hi, I need to hide a series of siteMapNodes to certain roles. That means roles have access to the siteMapNode, but the node doesn't appear on the navigation menu. I'll use Response.Redirect to...
ASP.NET
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!