Re: Authentication
- From: Dave <Dave@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 17 Nov 2007 08:39:00 -0800
You stated ".... If it is the latter (which if you insist on a separate sign
on, it
should be), then you have to be sure that you are not storing passwords in
the database". Where would I store my password?
I have not found any basic tutorial on IPrincipal. Could you direct me to one?
Thanks.
--
L. A. Jones
"Nicholas Paldino [.NET/C# MVP]" wrote:
Well, there are a number of questions here..
First, how are you accessing the database? Are you doing it using
trusted security, or are you accessing it using a username/login combo?
If it is the former, then you probably should be using a windows
principal, and using the security in the operating system (windows is a
single sign on system) to authenticate your user.
If it is the latter (which if you insist on a separate sign on, it
should be), then you have to be sure that you are not storing passwords in
the database, because a malicious user could use the credentials to fetch
the passwords (encrypted or not) and try to crack them over time.
Regardless, you should be encrypting the connection string as well in
the config file (assuming that is where you keep it).
You can then create a custom implementation of IPrincipal and set the
CurrentPrincipal property on the thread which will be used when checking
methods/properties with the PrincipalPermission attribute. You will need to
implement the IsInRole method to check against your database to see what
roles the user is a part of.
Needless to say, it isn't a bad thing that you are storing user
information in the database, you just have to take certain steps to make
sure that it is secure.
--
- Nicholas Paldino [.NET/C# MVP]
- mvp@xxxxxxxxxxxxxxxxxxxxxxxxxxx
"Dave" <Dave@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:01220BFE-50DB-480B-84B1-4CCDD93B3C02@xxxxxxxxxxxxxxxx
Well let me tell you how I've implemented my application security. I have
a
main form with several menu option. When a user logs in I check a sql
database to authenticate the user. Based on the outcome several menu
options
will enabled or disabled. Is this a poor security technique?
--
L. A. Jones
"Nicholas Paldino [.NET/C# MVP]" wrote:
Dave,
Authentication in Windows Forms is a different beast than in ASP.NET
applications. Basically, you are going to work off the current principal
for the thread, which can be based on the user that is currently logged
in
and running your app, or something completely custom.
However, once you determine how you want to authenticate your user,
how
you authorize them is pretty much the same (declarative security using
the
PrincipalPermissionAttribute, calling IsInRole on the IPrincipal
interface
definition).
Juval Lowy has written an article which shows how to use the ASP.NET
authentication module in Windows Forms if you are interested:
http://msdn.microsoft.com/msdnmag/issues/05/04/Security/default.aspx
--
- Nicholas Paldino [.NET/C# MVP]
- mvp@xxxxxxxxxxxxxxxxxxxxxxxxxxx
"Dave" <Dave@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C24B8DF6-01DD-4E9E-93DC-4B19885AD5B1@xxxxxxxxxxxxxxxx
I would like to find a tutorial that shows how to set up authentication
in
a
winform application similar to one that ASP.Net applications are
capable
of.
--
L. A. Jones
- Follow-Ups:
- Re: Authentication
- From: Nicholas Paldino [.NET/C# MVP]
- Re: Authentication
- References:
- Re: Authentication
- From: Nicholas Paldino [.NET/C# MVP]
- Re: Authentication
- From: Nicholas Paldino [.NET/C# MVP]
- Re: Authentication
- Prev by Date: Re: Keyboard Listener
- Next by Date: Full ISO 4217 information
- Previous by thread: Re: Authentication
- Next by thread: Re: Authentication
- Index(es):
Relevant Pages
|
