.NET has a pretty straightforward api for role-based security, complete with
somewhat AOPish declarative security checks (by attaching attributes to
classes or methods).
[PrincipalPermission(SecurityAction.Demand, Role = "Manager")]
public string GetSecretInfo()
{
return "The brown fox awakes at dawn.";
}
Start here...
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconRole-BasedSecurity
.asp
The crux is usually getting the caller's principal info attached to the
calling thread -- by setting Thread.CurrentPrincipal -- but exactly how and
where you go about that depends a great deal on what kind of network
architecture you're into... web services? remoting? other?
And, as you know, you've got to manage some kind of database mapping users
to roles. In the Windows world, the story goes like this: you can either
choose to use Windows' builtin mapping of Users and Groups, ala the Control
Panel or Active Directory. Or if you want to roll your own (ie, from a
database table or something) you can spin up a GeneralPrincipal object and
populate it yourself.
But in the end, it's all about users and roles. There's no explicit notion
of "resources", other than the actual classes, properties, and methods
you're protecting.
Cheers,
-Shawn
http://www.windojitsu.com/
-----Original Message-----
From: Tim Jones [mailto:[EMAIL PROTECTED]
Sent: Friday, January 16, 2004 13:00
Subject: security (data filtering)
I have a question regarding the ability to filter data based upon roles,
permissions and policies with .NET. I am actually a java developer so
don't have experience with .NET but anyways... Basically what I am
currently doing is intercepting a method in java using aop. The result of
that method is then filtered and the altered result is sent to the user
without polluting the business logic with security code. Essentially
there is the basic role-based security in which a particular user gets
roles, permissions etc which I am sure is in .NET. What I am wondering
about is the other piece which actually filters out the result based on
the security info in the application server. Right now I am using an
implementation of the Resource Access Decision(RAD) spec which is an OMG
spec.
So for example say a particular piece of information is marked as VIP. In
the security manager(essentially the RAD) a policy is defined for a
vip "resource" and that policy as certain operations defined with it. So
in this case there would be a "view" operation stating whether a user can
look at VIP information. That "view" operation would have certain
permissions defined like "vip_access". So if the security info from the
application server has a permission called "vip_access" then the
information marked would be filtered through into the new returned result
else not.
Basically what I do is obtain the security information from the server and
insert into a call to the security manager. something like
SecurityManager.accessAllowed(vipResource, "view", security info)
which returns true or false. This allows me change the policies and
associations on the fly without recompiling or changing any code. In
addition the security can just be plugged into the existing application
without changing application code. My boss seems to think that there is
something in .NET security (built in) that can magically do this but I
doubt it. Does anyone know of anything like this( essentially the security
manager )?
===================================
This list is hosted by DevelopMentorR http://www.develop.com
Some .NET courses you may be interested in:
NEW! Guerrilla ASP.NET, 26 Jan 2004, in Los Angeles
http://www.develop.com/courses/gaspdotnetls
View archives and manage your subscription(s) at http://discuss.develop.com
===================================
This list is hosted by DevelopMentor� http://www.develop.com
Some .NET courses you may be interested in:
NEW! Guerrilla ASP.NET, 26 Jan 2004, in Los Angeles
http://www.develop.com/courses/gaspdotnetls
View archives and manage your subscription(s) at http://discuss.develop.com
