Re: * * * C# Application and Database Security Model * * *
- From: "isideveloper" <isideveloper@xxxxxxxxxxxxxxxxx>
- Date: Thu, 3 Aug 2006 17:02:59 -0700
Steven,
I will note my comments next to your text with *** in front of the text.
"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:ynfma3stGHA.2004@xxxxxxxxxxxxxxxxxxxxxxxx
Hello Brian,
Based on your description, you're going to develop a data-driven web
application through ASP.NET and want to perform role based security to
restrict different clients to perform certain data manipulation operations
in the web application, correct?
*** Yes, certain users should only be able to see certain data, while some
*** users can see all data.
Based on my experience,here are some approaches you can consider:the
1. For building data-driven web applications, ASP.NET (latest version 2.0)
has provided many rich UI controls for conveniently constructing a web
application which access data from backend data page and present the data
on web page. For general ASP.NET development information, you can visit
following web sites:
http://www.asp.net/
http://msdn.microsoft.com/asp.net/
2. I've noticded that your main concern here is to provide security
authentication against client users and authorize certain users(with
certain roles) to access the resource they're allowed to access. Are the
users and roles here the windows account and groups or the custom users
and roles defined in your own database storage? In ASP.NET, you have the
following options:
*** It's more like, 2 users that belong to the same role...one user might
*** have more privileges then the other, so the more privileged user might
*** be able to see more data (1 user can only see their customers, but the
more
*** privileged user can see their customers and everyone elses
1) If you're going to do authentication and authorization against windows
account and groups, you can configure the ASP.NET appilcation to use
windows authentication and also set the IIS virtual directory to use
intergrated windows authentication. Thus, we can get the authenticated
client user's windows identity in ASP.NET web application and then if some
pages are restricted to certain users, you can do the identity checking in
code and prevent any unauthorized users.
*** that is the plan, to use integrated security for the initial log in, but
then
*** we have to develop the security schema to handle indiviual access and
data
*** access after that
manager
2) ASP.NET 2.0 also provide a well encapsulated Membership and role
framework which can help easily build web application that willhttp://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000019.asp?frame=tr
authenticate user against custom security account database and authroize
users against custom role database. Such application generally use Forms
Authentication and let the user input username/password credentials at the
login form. Here is a good blog article which listed many resources about
the membership and role management service in ASP.NET 2.0:
#ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security
Resources
http://weblogs.asp.net/scottgu/archive/2006/02/24/438953.aspx
3. As you also mentioned the AzMan, though it is not a naturally .net
managed based component, there are some resoruces introducing how to
integrate it in ASP.NET web application as security mechanism. Here is a
msdn article describing on this:
How To: Use Authorization Manager (AzMan) with ASP.NET 2.0
uehttp://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
All the above are some general information, you can have a look to see
whether any of them will suit your application scenario. And if you have
any further detailed or specific questions, please feel free to post here.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
==================================================
Get notification to my posts through email? Please refer to
ications.approximately
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial
response from the community or a Microsoft Support Engineer within 1
business day is
acceptable. Please note that each follow up response may take
2 business daysinvestigation
as the support professional working with you may need further
to reach therights.
most efficient resolution. The offering is not appropriate for situations
that require
urgent, real-time or phone-based interactions or complex project analysis
and dump analysis
issues. Issues of this nature are best handled working with a dedicated
Microsoft Support
Engineer by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
.
- Follow-Ups:
- Re: * * * C# Application and Database Security Model * * *
- From: Steven Cheng[MSFT]
- Re: * * * C# Application and Database Security Model * * *
- References:
- * * * C# Application and Database Security Model * * *
- From: isideveloper
- RE: * * * C# Application and Database Security Model * * *
- From: Steven Cheng[MSFT]
- * * * C# Application and Database Security Model * * *
- Prev by Date: How to create a multi-dimensioned array in conventional ASP Javascript so that C# interop function can read it?
- Next by Date: Re: Telnet Using C#
- Previous by thread: RE: * * * C# Application and Database Security Model * * *
- Next by thread: Re: * * * C# Application and Database Security Model * * *
- Index(es):
Relevant Pages
|
