I have a question regarding the ability to filter data based upon roles, permissions and policies with .NET. I am actually a java developer so don't have experience with .NET but anyways... Basically what I am currently doing is intercepting a method in java using aop. The result of that method is then filtered and the altered result is sent to the user without polluting the business logic with security code. Essentially there is the basic role-based security in which a particular user gets roles, permissions etc which I am sure is in .NET. What I am wondering about is the other piece which actually filters out the result based on the security info in the application server. Right now I am using an implementation of the Resource Access Decision(RAD) spec which is an OMG spec.
So for example say a particular piece of information is marked as VIP. In the security manager(essentially the RAD) a policy is defined for a vip "resource" and that policy as certain operations defined with it. So in this case there would be a "view" operation stating whether a user can look at VIP information. That "view" operation would have certain permissions defined like "vip_access". So if the security info from the application server has a permission called "vip_access" then the information marked would be filtered through into the new returned result else not. Basically what I do is obtain the security information from the server and insert into a call to the security manager. something like SecurityManager.accessAllowed(vipResource, "view", security info) which returns true or false. This allows me change the policies and associations on the fly without recompiling or changing any code. In addition the security can just be plugged into the existing application without changing application code. My boss seems to think that there is something in .NET security (built in) that can magically do this but I doubt it. Does anyone know of anything like this( essentially the security manager )? =================================== This list is hosted by DevelopMentor� http://www.develop.com Some .NET courses you may be interested in: NEW! Guerrilla ASP.NET, 26 Jan 2004, in Los Angeles http://www.develop.com/courses/gaspdotnetls View archives and manage your subscription(s) at http://discuss.develop.com
