Re: Authentication & Authorization advice

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi Peter,

The links provided will be great. From what I understand, we'll just be
using a database.

Thanks for all your effort,

Jon

"Peter Bradley" wrote:

Ooh! Jon, that's hard.

Firstly you need to make sure you're happy with remoting. I can recommend
some books on that for you if you're not. We also have some internal
documents that we could let you have copies of if you thought they'd be
helpful.

Secondly, you need to make sure you're happy with AD/LDAP if that's what
you're using. MSDN has a good example of authentication using AD. If your
Google foo lets you down, let me know and I'll find it for you. It'll be
tomorrow, though, now, as it's the end of the day for me here.

If you're going to use a secure database, all you really need to know is
that you never store passwords - even encrypted passwords. You store seeded
password hashes. MSDN has enough on that to keep you going, I think.

You could also look at my research paper at
http://www.peredur.uklinux.net/msc/. It's not directly on topic, but it
uses forms authentication some place in there, and it certainly uses
remoting. All the code is listed in the appendices.

MSDN should also help you out on the use of attributes, but once again let
me know if you need more help.

Finally, MS have a book in print and online
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpmsdn.asp)
that covers the subject in great detail.

HTH. Get back to me tomorrow if you need more help.


Peter

For authorisation using attributes, I think you'll find enough on MSDN and
via Google. Once again, if you get stuck, let me know and I'll see what we
have.
"Jon" <Jon@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7575111C-16C6-49A2-AC20-9C2DBFC89CB0@xxxxxxxxxxxxxxxx
Peter, this is along the same lines as what I'm aining to do.

Do you have any sites/link/references that you can point me at for
examples
etc?

Thanks,

Jon

"Peter Bradley" wrote:

As I've said many time before, we use forms authentication. The
authentication is done by a remote component running on the application
server and connecting to the database or LDAP server. Some applications,
used by people we know about like employees and students, use Active
Directory for the authentication. Other applications use a secure
database
that holds only hashed and seeded passwords.

The Web Server is behind a firewall and is not on the Windows domain, and
connects to the app server through a firewall to a specified port. The
app
server will only accept calls from a particular web application on a
specific port (or set of ports). The app server and db server are on the
Windows domain and connect over a trusted connection.

Authorisation is done declaratively by decorating classes and/or methods
with attributes that ensure that users are both logged in and have
sufficient permissions before they access the protected areas of our
code.

We have made the login "screen" into a Web control that developers can
use
in any application.

It works for us.

In ASP.NET 2.0, I understand that there is a login control. This may
make
things a lot easier for us, but the architecture will remain the same.


Peter


"Jon" <Jon@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:27DFAA68-EB53-4426-A368-9380BB597F52@xxxxxxxxxxxxxxxx
Hello all.

Just after some advice on the best approach to authentication and
authorization in asp.net 2.0.

I'm wanting to develop an 'Authenticatio/Authorization' block so that
developers, as they write their apps, can just reference this block,
and
all
the code to do with hitting the database etc is wrapped up.

My question is. Will it be better to use a customer IIdentiry and
IPrinciap
object, or can ASP.net 2.0 handle this?

Thank you for any advice/ideas offered.

Jon










.

Relevant Pages

  • Re: Using SSPI with Custom Authentication
    ... It boils down to moving the security perimeter away from the server. ... first database contains all of the user information; ... perform authentication, and users need to be authenticated before accessing ...
    (microsoft.public.dotnet.security)
  • Re: server authentication & ASP authentication
    ... Are the web server and DB on the same machine? ... My primary inclination would be to use platform authentication across the ... and Windows authentication to the database. ...
    (microsoft.public.sqlserver.security)
  • Re: managing msde with nt authentication
    ... You can grant non-admin users access with sp_grantlogin: ... you'll also need to GRANT the user or role any database ... SQL Server MVP ... > change my application to use nt authentication. ...
    (microsoft.public.sqlserver.security)
  • User authentication over the web (was: Secure Password in database)
    ... Subject: User authentication over the web (was: Secure Password in database) ... a web server is usually authenticated to users by using SSL or TLS ...
    (SecProg)
  • Re: Authentication & Authorization advice
    ... MSDN has a good example of authentication using AD. ... that you never store passwords - even encrypted passwords. ... server and connecting to the database or LDAP server. ... connects to the app server through a firewall to a specified port. ...
    (microsoft.public.dotnet.framework.aspnet)