I am looking for examples and assistance in configuring application roles
using SQL Server 2000 and VB.NET, both web forms and windows forms.
Are there any suggestions?
Thanks
Bill
5  3957 
You probably won't find much because application roles are not widely
used, especially in Web applications because you have to sacrifice
connection pooling to get them to work. See:
PRB: SQL Application Role Errors with OLE DB Resource Pooling http://support.microsoft.com/default...;EN-US;Q229564
This was written for ADO, but still applies to ADO.NET. Even if they
worked, you would still not want to use them even in a .NET Winforms
application because the application role password must be supplied by
your client code. Reading the IL of a compiled assembly is fairly
straightforward using the disassembler tool (ildasm.exe). Even if it's
not embedded in your code, the password must be stored *somewhere* on
the client, which makes it vulnerable.
--Mary
On Mon, 13 Dec 2004 08:42:34 -0500, "bill" <be****@datamti.com> wrote: I am looking for examples and assistance in configuring application roles
using SQL Server 2000 and VB.NET, both web forms and windows forms.
Are there any suggestions?
Thanks
Bill
Thanks for the input.
What is the recommended approach to prevent users from accessing database
resources independently of the user interface? Users have database
permissions and can access the database using MSAccess or whatever.
I appreciate your help.
-Bill
"Mary Chipman" <mc***@online.microsoft.com> wrote in message
news:7o********************************@4ax.com... You probably won't find much because application roles are not widely
used, especially in Web applications because you have to sacrifice
connection pooling to get them to work. See:
PRB: SQL Application Role Errors with OLE DB Resource Pooling
http://support.microsoft.com/default...;EN-US;Q229564
This was written for ADO, but still applies to ADO.NET. Even if they
worked, you would still not want to use them even in a .NET Winforms
application because the application role password must be supplied by
your client code. Reading the IL of a compiled assembly is fairly
straightforward using the disassembler tool (ildasm.exe). Even if it's
not embedded in your code, the password must be stored *somewhere* on
the client, which makes it vulnerable.
--Mary
On Mon, 13 Dec 2004 08:42:34 -0500, "bill" <be****@datamti.com> wrote:
I am looking for examples and assistance in configuring application roles
using SQL Server 2000 and VB.NET, both web forms and windows forms.
Are there any suggestions?
Thanks
Bill
The best way is to take advantage of parameterized stored procedures,
granting only execute permissions for database roles to selected
stored procedures and denying all permissions to the base tables to
public. Users might be able to connect due to their Windows logins
being enabled on the server, but they would be prevented from reading
or modifying data using other query tools. Access won't let you link
to tables you don't have permissions on. It's more work, but worth it
if your goal is increased security.
--Mary
On Tue, 14 Dec 2004 07:56:58 -0500, "bill" <be****@datamti.com> wrote: Thanks for the input.
What is the recommended approach to prevent users from accessing database
resources independently of the user interface? Users have database
permissions and can access the database using MSAccess or whatever.
I appreciate your help.
-Bill
"Mary Chipman" <mc***@online.microsoft.com> wrote in message
news:7o********************************@4ax.com.. . You probably won't find much because application roles are not widely
used, especially in Web applications because you have to sacrifice
connection pooling to get them to work. See:
PRB: SQL Application Role Errors with OLE DB Resource Pooling
http://support.microsoft.com/default...;EN-US;Q229564
This was written for ADO, but still applies to ADO.NET. Even if they
worked, you would still not want to use them even in a .NET Winforms
application because the application role password must be supplied by
your client code. Reading the IL of a compiled assembly is fairly
straightforward using the disassembler tool (ildasm.exe). Even if it's
not embedded in your code, the password must be stored *somewhere* on
the client, which makes it vulnerable.
--Mary
On Mon, 13 Dec 2004 08:42:34 -0500, "bill" <be****@datamti.com> wrote:
>I am looking for examples and assistance in configuring application roles
>using SQL Server 2000 and VB.NET, both web forms and windows forms.
>
>Are there any suggestions?
>
>Thanks
>Bill
>
I see. Do you think application roles will be abandoned, or will the
problem with connection pooling be resolved in a later version? It's too
bad, because it seems like such a good way to handle database access
otherwise.
Thanks!
Bill
"Mary Chipman" <mc***@online.microsoft.com> wrote in message
news:bk********************************@4ax.com... The best way is to take advantage of parameterized stored procedures,
granting only execute permissions for database roles to selected
stored procedures and denying all permissions to the base tables to
public. Users might be able to connect due to their Windows logins
being enabled on the server, but they would be prevented from reading
or modifying data using other query tools. Access won't let you link
to tables you don't have permissions on. It's more work, but worth it
if your goal is increased security.
--Mary
On Tue, 14 Dec 2004 07:56:58 -0500, "bill" <be****@datamti.com> wrote:
Thanks for the input.
What is the recommended approach to prevent users from accessing database
resources independently of the user interface? Users have database
permissions and can access the database using MSAccess or whatever.
I appreciate your help.
-Bill
"Mary Chipman" <mc***@online.microsoft.com> wrote in message
news:7o********************************@4ax.com.. . You probably won't find much because application roles are not widely
used, especially in Web applications because you have to sacrifice
connection pooling to get them to work. See:
PRB: SQL Application Role Errors with OLE DB Resource Pooling
http://support.microsoft.com/default...;EN-US;Q229564
This was written for ADO, but still applies to ADO.NET. Even if they
worked, you would still not want to use them even in a .NET Winforms
application because the application role password must be supplied by
your client code. Reading the IL of a compiled assembly is fairly
straightforward using the disassembler tool (ildasm.exe). Even if it's
not embedded in your code, the password must be stored *somewhere* on
the client, which makes it vulnerable.
--Mary
On Mon, 13 Dec 2004 08:42:34 -0500, "bill" <be****@datamti.com> wrote:
>I am looking for examples and assistance in configuring application
roles >using SQL Server 2000 and VB.NET, both web forms and windows forms.
>
>Are there any suggestions?
>
>Thanks
>Bill
>
They probably won't be abandoned for backwards compatibility issues,
but IMO they sound better than they actually are in reality. Aside
from poolin, the big issue is that they represent a giant security
hole because the application must pass the application role password
to the server in order to activate it. Secrets stored on the client
are *always* vulnerable to being hacked, especially in .NET where
strings are immutable.
--Mary
On Tue, 14 Dec 2004 09:51:42 -0500, "bill" <be****@datamti.com> wrote: I see. Do you think application roles will be abandoned, or will the
problem with connection pooling be resolved in a later version? It's too
bad, because it seems like such a good way to handle database access
otherwise.
Thanks!
Bill
"Mary Chipman" <mc***@online.microsoft.com> wrote in message
news:bk********************************@4ax.com.. . The best way is to take advantage of parameterized stored procedures,
granting only execute permissions for database roles to selected
stored procedures and denying all permissions to the base tables to
public. Users might be able to connect due to their Windows logins
being enabled on the server, but they would be prevented from reading
or modifying data using other query tools. Access won't let you link
to tables you don't have permissions on. It's more work, but worth it
if your goal is increased security.
--Mary
On Tue, 14 Dec 2004 07:56:58 -0500, "bill" <be****@datamti.com> wrote:
>Thanks for the input.
>
>What is the recommended approach to prevent users from accessing database
>resources independently of the user interface? Users have database
>permissions and can access the database using MSAccess or whatever.
>
>I appreciate your help.
>
>-Bill
>
>
>"Mary Chipman" <mc***@online.microsoft.com> wrote in message
>news:7o********************************@4ax.com.. .
>> You probably won't find much because application roles are not widely
>> used, especially in Web applications because you have to sacrifice
>> connection pooling to get them to work. See:
>>
>> PRB: SQL Application Role Errors with OLE DB Resource Pooling
>> http://support.microsoft.com/default...;EN-US;Q229564
>>
>> This was written for ADO, but still applies to ADO.NET. Even if they
>> worked, you would still not want to use them even in a .NET Winforms
>> application because the application role password must be supplied by
>> your client code. Reading the IL of a compiled assembly is fairly
>> straightforward using the disassembler tool (ildasm.exe). Even if it's
>> not embedded in your code, the password must be stored *somewhere* on
>> the client, which makes it vulnerable.
>>
>> --Mary
>>
>> On Mon, 13 Dec 2004 08:42:34 -0500, "bill" <be****@datamti.com> wrote:
>>
>> >I am looking for examples and assistance in configuring applicationroles >> >using SQL Server 2000 and VB.NET, both web forms and windows forms.
>> >
>> >Are there any suggestions?
>> >
>> >Thanks
>> >Bill
>> >
>>
> This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: mark |
last post by:
Can't figure this one out. I appears to not be code related. After
surfing my asp.net web app for a while 5 - 10 min. it fails to open
any further connections to my access 2000 database. There...
|
by: tommy |
last post by:
hello everbody,
i write a little asp-application with forms-authentication.
i copy my aspx-files with web.config to my webspace and i get the
error above...
i tried to set the...
|
by: Sean |
last post by:
HI There,
I am having trouble deploying my .aspx pages to a remote server, I have made
changes to the config file and it still returns an error. I have also
contacted the server administrator to...
|
by: Stephen |
last post by:
I have my intranet setup on our web server. It contains multiple
applications, but none are set up in the default application pools. In
other words, I create a webform and plop it into a...
|
by: Graham |
last post by:
I have been having some fun learning and using the new Controls and methods in .Net 2.0 which will make my life in the future easier and faster. Specifically the new databinding practises and...
|
by: Jonathan Allen |
last post by:
Is this the correct way to use application roles?
Public Function GetDBConnection() As SqlConnection
Dim oCon As New SqlConnection(myConnectionString)
oCon.Open()
Using oCmd As SqlCommand =...
|
by: isideveloper |
last post by:
I'm building a new C# web application that will provide my company
some administrative operations that were previously only completed
by tweaking the data in the database.
1. Encrypted password...
|
by: Rasheed |
last post by:
We are building a smart client application (.NET 2.0) which uses Web Services
to access the business objects.
Services: The Web Services have been secured by brokered authentication
using X509...
|
by: JimL |
last post by:
Hello group,
We have recently come up with a problem where SQLServer 2005 differs
from 2000.
We have an application role, which needs to run DDL to alter tables
etc. The documentation for...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
