I am developing a class to be used as the Central Point of access to Control All Functions for All Application.
In general, the class will provide the following functionality:
For a given Application, Who Can Do What and When.
I need your input and feedback to implement this class in the best way possible, and if you have other suggestions, please feel free to let me know.
Sample Use for this Class:
For example, we have Attendance System which is live for the past 4 years. Everyone will punch the in/out times. Some times, staff will forget to punch in or out ! So, I created a Screen to Enter Attendance Adjustments.
Of course, this screen need to be secured. Not any one can enter adjustment. Right ?
So, the HR Users requested me to provide the screen for 2 main User Roles:
- Application Admin: He can enter the adjustment for any Staff.
- Department Admin: He can enter the adjustment only for the staff who are in the same department of the user who is making the Data Entry.
Now, I have another application which is used to Display Staff Profile Info On-Line (eHRMD), such as Contact Info, Personal Info, Salary, Medical Lab Requests ...etc.
So, the HR Users requested me to provide extreme flexibility to allow Authorized Staff to view the Profile Data of other Staff based on predefined rules.
For example:
- Application Admin: Can view staff info of any other staff.
- Director: Can view all Staff Info EXCEPT Medical Data.
- Section Head: Can view all Staff Info EXCEPT Medical Data and Salary Data
...etc...
Database Design:
I decided to make the Database as follows:
Following is a Sample of each table above:
tApplications
AppID
AppDescEng
AppDescArab
AtSys
Attendance System
eHRMD
Staff Profile Application
tUIElements
AppID
UIElmID
UIElmDescEng
UIElemDescArab
UsesPrivLvl
Attendance System
UI001
Adjustmentment Entry.
No
Attendance System
UIAll
All UI Elements of Attendance System.
No
Staff Profile Application
UI001
View Info of Other Staff.
Yes
Staff Profile Application
UIAll
All UI Elements of eHRMD.
No
tUIElmActions
AppID
UIElmID
ActionID
ActionDescEng
ActionDescArb
Attendance System
UI001
AC001
Enter Adjustment for All Staff.
Attendance System
UI001
AC003
Enter Adjustment for Staff Only in Same Dept.
Attendance System
UIAll
ACAll
All Actions of Attendance System.
Staff Profile Application
UI001
AC001
View All Staff Info of any Other Staff.
Staff Profile Application
UI001
AC003
View Staff Info of Other Staff Only in the Same Dept.
Staff Profile Application
UI001
ACAll
All Actions for View Other Staff Info as per Privacy Level.
Staff Profile Application
UIAll
ACAll
All Actions of eHRMD.
tRoles
RoleID
RoleDescEng
RoleDescArb
CanViewMaxPrivLvl
R001
Application Admin
5
R005
Director
3
R007
Section Head
3
R009
Department Adminsitrator
2
R015
Attendance Adjustment Entry
1
R020
Staff
1
tAuthorization
AppID
UIElmID
ActionID
RoleID
IsDenied
Attendance System
UI001
AC001
Application Admin
No
Attendance System
UI001
AC001
Attendance Adjustment Entry
No
Attendance System
UI001
AC003
Department Adminsitrator
No
Staff Profile Application
UI001
AC001
Application Admin
No
Staff Profile Application
UI001
AC003
Director
No
Staff Profile Application
UI001
ACAll
Staff
No
Application Security Class Implementation:
I decided to implement the class as follows:
- Class Name: AppSecurity
- Use Singleton Pattern: "appsec = AppSecurity.GetSingleton()" to get an instance of the class.
- Load the Tables above into DataSet only once during the Application Life in the Worker Process.
- Use CSLA .NET DataProtal Fetch method to load the Data. This is to make use of Mobile Business Object, when needed.
- Use DataRelation to relate the tables in the DataSet.
- To check for security, the the Application UI Code of the Attendance Adjustment Entry Screen, will do something like the following:
sub Page_Load(...)
appsec = AppSecurity.GetSingleton()
if (appsec.CanPerformAction(AppCodes.AtSys, UIElmCodes.UI001, UIElmActCodes.AC001) then
' Means can Enter Adjustment for All Staff.
' Yes, he is authorized, continue ..
' Setup the DataSource of the Screen to work with all Staff
elseif (appsec.CanPeformAction(AppCodes.AtSys, UIElmCodes.UI001, UIElmActCodes.AC003) then
' Means can Enter Adjustment for only for Staff in the same Dept.
' Get the Dept. Code of the Loged In User.
' Filter the DataSource of the Screen to allow only working with
' Staff who are in the same Dept. of the Loged in user.
else
response.write("Access Denied or something like that."
end if
end sub
Sample Code of the Class:
I am posting below the sample code of the class to clarify the concept:
<Serializable()> _
Public Class AppSecurity
#Region " Hard-Coded Constant Values "'
' Define the Hard-Coded Values to be used in the program
' Such values are related to the Key Values in the Security Database Tables
' They are defined as Constants in Classes jsut to make them easier to work with
'
Public Enum AppCodes
eHRMD
AtSys
End enum
Public Enum UIElmCodes
UIAll
UI001
End Enum
Public Enum ULElmActCodes
ACAll
AC001
AC003
End Enum
#End Region
Private Shared mSingleton As AppSecurity
Private Shared lockobject As New Object
Private mAppSecDataSet As DataSet
#Region " Factory Methods "Private Sub New()
End Sub
Public Shared Function GetSingleton() As AppSecurity
If mSingleton Is Nothing Then
SyncLock lockobject
If mSingleton Is Nothing Then
mSingleton = DataPortal.Fetch(Of AppSecurity)(New Criteria())
End If
End SyncLock
End If
Return mSingleton
End Function
#End Region
#Region " Data Access "
<Serializable()> _
Private Class Criteria
Public Sub New()
End Sub
End Class
Private Overloads Sub DataPortal_Fetch(ByVal criteria As Criteria)
'Dim TestEnum As AppCodes
'TestEnum = AppCodes.AtSys
'Console.WriteLine(TestEnum.ToString)
Try
Using con As New OleDb.OleDbConnection(Database.AppSecurityDB)
Using cmd As OleDb.OleDbCommand = con.CreateCommand
cmd.CommandType = CommandType.Text
Using da As New OleDb.OleDbDataAdapter(cmd)
'
' Load all tables with small set of records into
' memory using DataSets
'
cmd.CommandText = "select * from tApplications"
mAppSecDataSet = New DataSet("ApplicationSecurity")
da.Fill(mAppSecDataSet, "tApplications")
cmd.CommandText = "select * from tAppDataTypes"
da.Fill(mAppSecDataSet, "tAppDataTypes")
cmd.CommandText = "select * from tUIElements"
da.Fill(mAppSecDataSet, "tUIElements")
cmd.CommandText = "select * from tUIElmActions"
da.Fill(mAppSecDataSet, "tUIElmActions")
cmd.CommandText = "select * from tRoles"
da.Fill(mAppSecDataSet, "tRoles")
cmd.CommandText = "select * from tAuthorization"
da.Fill(mAppSecDataSet, "tAuthorizations")
'
' Any lookup required against the Staff or Staff Roles
' will have to be done against the Database directly.
' This is to avoid loading large number of records
'
'
' Now define the Relationship among the tables in the DataSet
'
Dim ParentColumns(0 To 0) As DataColumn
Dim ChildColumns(0 To 0) As DataColumn
Dim Rel As DataRelation
ParentColumns(0) = mAppSecDataSet.Tables("tApplications").Columns("AppID")
ChildColumns(0) = mAppSecDataSet.Tables("tAppDataTypes").Columns("AppID")
Rel = New DataRelation("App_DataTypes", ParentColumns, ChildColumns)
mAppSecDataSet.Relations.Add(Rel)
Rel = Nothing
ReDim ParentColumns(0 To 0)
ReDim ChildColumns(0 To 0)
ParentColumns(0) = mAppSecDataSet.Tables("tApplications").Columns("AppID")
ChildColumns(0) = mAppSecDataSet.Tables("tUIElements").Columns("AppID")
Rel = New DataRelation("App_UIElements", ParentColumns, ChildColumns)
mAppSecDataSet.Relations.Add(Rel)
Rel = Nothing
ReDim ParentColumns(0 To 1)
ReDim ChildColumns(0 To 1)
ParentColumns(0) = mAppSecDataSet.Tables("tUIElements").Columns("AppID")
ParentColumns(1) = mAppSecDataSet.Tables("tUIElements").Columns("UIElemID")
ChildColumns(0) = mAppSecDataSet.Tables("tUIElmActions").Columns("AppID")
ChildColumns(1) = mAppSecDataSet.Tables("tUIElmActions").Columns("UIElemID")
Rel = New DataRelation("UIElements_Actions", ParentColumns, ChildColumns)
mAppSecDataSet.Relations.Add(Rel)
Rel = Nothing
ReDim ParentColumns(0 To 2)
ReDim ChildColumns(0 To 2)
ParentColumns(0) = mAppSecDataSet.Tables("tUIElmActions").Columns("AppID")
ParentColumns(1) = mAppSecDataSet.Tables("tUIElmActions").Columns("UIElemID")
ParentColumns(2) = mAppSecDataSet.Tables("tUIElmActions").Columns("ActionID")
ChildColumns(0) = mAppSecDataSet.Tables("tAuthorization").Columns("AppID")
ChildColumns(1) = mAppSecDataSet.Tables("tAuthorization").Columns("UIElmID")
ChildColumns(2) = mAppSecDataSet.Tables("tAuthorization").Columns("ActionID")
Rel = New DataRelation("Actions_Authorization", ParentColumns, ChildColumns)
mAppSecDataSet.Relations.Add(Rel)
Rel = Nothing
ReDim ParentColumns(0 To 0)
ReDim ChildColumns(0 To 0)
ParentColumns(0) = mAppSecDataSet.Tables("tRoles").Columns("RoleID")
ChildColumns(0) = mAppSecDataSet.Tables("tAuthorization").Columns("RoleID")
Rel = New DataRelation("Roles_Authorizations", ParentColumns, ChildColumns)
mAppSecDataSet.Relations.Add(Rel)
Rel = Nothing
End Using
End Using
End Using
Catch ex As Exception
Throw New Exception(ex.Message, ex)
End Try
End Sub
#End Region
End Class
What your doing is probably what I would have done back in my PHP days... but this isn't what I would recommend as it doesn't lend itself well to scalability, and it's not easy to use.
Here is what I would suggest:
<div mce_keep="true">Use the web.config to block access to certain pages based on role... this is a simple start that will help you to stop unauthorized people from *seeing* certain data.</div>
<div mce_keep="true">If multiple roles can see a certain page, but only some of them are allowed to see a particular part of the page (perhaps a grid view with employee's salaries), then you can wrap that part in an "asp:LoginView" control, and specify
what Roles can see that data.</div>
Those two items above are easy to do. You may want to take performance into account (meaning, don't forget not to databind a control if it's not going to be displayed... why waste all that performance).
Next, make a single static class that handles all of your business logic, and call it "BusinessLogicLayer", and put all of your functions in there such as "AdjustAttendance". Then, in the top of your "AdjustAttendance" method,
double-check the current logged in users security access...
public void AdjustAddentance(...)
{
if (UserCanAdjustAttendance() == false)
{
throw new Exception("Access is denied!");
}
// ... put your code here ...
}
The "UserCanAdjustAttendance" method would look something like this:
public bool UserCanAdjustAttendance()
{
if (HttpContext.Current.User.IsInRole("Application Admin"))
{
return true;
}
if (HttpContext.Current.User.IsInRole("Department Admin"))
{
// here you'd have to check if the department being edited is under the current user... that's up to you :)
}
}
In general, I agree with your approach. But, have you looked closely at the requirements of HR Users for Authorization ?
Enabling authorization using web.config and Allow/Deny rules is good to Allow or Deny Specific User/Roles to "Open" certain pages/links within the web site (with an option for Security Trimming", but using this technique "as-is" is not good enough. Why ?
Because the logic also depends on further data to be retrieved from the Database.
Using web.config without further work also has additional problem: You have to hard-code the authorized Roles within the web.config, and hard-code the authorization rules also. In my approach, I am not hard-coding the Rules, instead, I am using predefined
Keys to hard-code the meaning of the codes in the program, and allow the user to change the Mapping between the Roles and the Action Codes.
In order to defined the mapping between the Application Functions and User Roles outside the Program, you MUST do additional work. The .NET does not do this work for you. Please correct me if I am wrong. However, .NET gives something called "Membership Providers",
where you can implement them in your program. This is exactly what I am trying to do. In the end, the Implementation of such Provider will have to call the functionality of the "AppSecurity" class which I mentioned earlier.
You may ask "Why I have encapsulated the Application Security in this AppSecurity Class ? Why not implement the Membership Provider directly ?". The answer is: "To allow developing a Web Service Wrapper for this class and enable other applications to use
it for Authorization. Or, to compile it into a DLL, and allow all kind of supported UI Platforms to use it where needed."
Let us take a closer look at this authorization requirements:
- User is Authenticated and the Roles are loaded.
- The Attendance Application Starts.
- There is a link named "Enter Attendance Adjustments".
- This link can be used, for the time being, by 2 roles: "Application Admin", and "Dept. Admin". In the future, more roles can be added, and this should be the responsibility of the HR Admin, not the .NET Developer !.
- Security Trimming could be enabled and this will be an optional cool feature. But this requires the implementation of the Membership Provider.
I still need some help in this area.
- If the user is a member of "Application Admin" Role, then he can enter the Adjustment for any Staff.
- If the User is a member of "Dept. Admin" Role, then he can enter the Adjustment only for the Staff who are in the same Dept. of the Authenticated user. This means, additional code is needed to lookup the Dept. Code of the Authenticated User, and use the
Dept. Code to filter the list of Staff who will be accessed by "Attendance Adjustment" function.
And, I agree with you. I need to encapsulate the Business Logic in a Separate Class.
Here are my thoughts on how to do that:
- Develop a class named "AttendanceAdjustment" to represent the Attendance Adjustment Business Logic.
- This class will collaborate with the "AppSecurity" class to perform Authorization.
- The "AttendanceAdjustment" class will have the following sample methods:
- GetStaffList(): Will return a Strongly Typed Collection of Staff ID and Name who are subject for Adjustments as per the rules defined in the "AppSecurity".
- GetStaffAdjustmentData(StaffID as String): Will return a new object instance of "AttendanceAdjustment" class with of the Staff Adjustment Fields which need to be displayed on the Screen, and they must be bindable to the UI Elements.
- UpdateOrInsertStaffAdjustment(): Will use the changed member values of the object to be updated on inserted in the Database.
- Each of the above methods will have to call the "AppSecurity" class methods to enforce the Authorization Rules before executing any other code (like what you have mentioned earlier).
- In the UI, use the class "AttendanceAdjustment" to link the Business logic of this class with the Presentation Layer. In this case, the methods will be called to perform the required functionality triggered from the Presentation Layer via the UI Code which
will be minimal coding.
Questions:
- Can you give me some hints on how to link the "AppSecurity" class with the "Membership Provider" Interface Implementation ?
- Do you thing there will be any problem in using the Singleton Pattern in this case ?
Just thought this was a good question. You should also insert records into the db tables for view/edit/modify for main content. It saves a lot of overhead later on. When building applicatoins with a seperate business layer it can get tricky. You are
defining your business layer as a static rule in your database. This is a great idea, but remember as the project advances you are definately going have to change as usually the requirement changes. Make sure your presentation layer can handle changes in
the business layer. Just wanted to voice my concern. Good luck.
There are several different patterns you can follow to do what it is you are trying to do, each with their own merits and drawbacks. Your requirement to potentially use your security object in other types of applications, however, is not a trivial one. I'd
suggest you look at the IPrincipal/IIdentity approach, which is commonly used in web applications, is well proven, and will facilitate use of your object as a security principal in other types of applications (WinForms, remoting/web services, COM+, etc.) You
can populate the object with data however you wish, and it will work well with the programmatic style role checking needs. At the very least, it would be worth your time to see if this approach fits the bill for you.
The MS documentation for the two interfaces can be found here (I'm assuming .NET 2.0):
Information of varying levels of detail on exactly how to implement these interfaces and use the resulting class(es) is all over the Internet (search for "implementing IPrincipal" or some such variation), including a step-by-step walkthrough on MSDN:
There are several different patterns you can follow to do what it is you are trying to do, each with their own merits and drawbacks. Your requirement to potentially use your security object in other types of applications, however, is not a trivial one. I'd
suggest you look at the IPrincipal/IIdentity approach, which is commonly used in web applications, is well proven, and will facilitate use of your object as a security principal in other types of applications (WinForms, remoting/web services, COM+, etc.) You
can populate the object with data however you wish, and it will work well with the programmatic style role checking needs. At the very least, it would be worth your time to see if this approach fits the bill for you.
The MS documentation for the two interfaces can be found here (I'm assuming .NET 2.0):
Information of varying levels of detail on exactly how to implement these interfaces and use the resulting class(es) is all over the Internet (search for "implementing IPrincipal" or some such variation), including a step-by-step walkthrough on MSDN:
Excellent ! I think we are now talking on the same frequency.
I have been reading and practicing on the new .NET Authentication and Authorization for the past several weeks. Also, I am following the CSLA .NET Framework which has custom implementation of both IIdentity and IPrincipal Interfaces. Check this link for
details:
While I am implementing this specific Authorization Requirements of the Attendance System, I will be taking care of the Aspects of .NET.
Do you agree with me that we have 2 different issues here:
- The Specific Custom Logic Needed to implement Authorization. That is, it is not enough to check if the user is a member of a given role, however, the Authorization Logic for Certain Functions "may" also need to check if the Authenticated User (who is also
a Staff) is in the Same Department of the Staff whom the function is being applied on.
- The .NET Technical Aspects which is using IIdentity and IPrincipal Interfaces to achieve your Authorization Requirements. I think this is also not enough. These Interfaces will only Authenticate the User and Load the Roles assigned to him and make such
information available to whole application. I think we need also to implement a Custom Membership Provider to take full advantage of the .NET Authorization Features. For example, if I want to enable Security Trimming based on the Custom Authorization Logic
I presented earlier.
The reason why I am posting this topic here is to reassure about the following:
- My understanding of how to use the .NET Security Features is correct.
- If the approach I am following is correct with regards to the common practices for implementing security in .NET, taking into consideration the authorization requirements.
why dont you create your owne custopm security class inherted from membership API
A fine is a tax for doing wrong. A tax is a fine for doing well.
__________________________________________________
Please remember to click “Mark as Answer” on the post that helps you.
A fine is a tax for doing wrong. A tax is a fine for doing well.
__________________________________________________
Please remember to click “Mark as Answer” on the post that helps you.
tarekahf
Member
143 Points
272 Posts
Need your openion on developing a Security/Authorizaton Class.
May 26, 2008 01:22 PM|LINK
Dear All,
I am developing a class to be used as the Central Point of access to Control All Functions for All Application.
In general, the class will provide the following functionality:
For a given Application, Who Can Do What and When.
I need your input and feedback to implement this class in the best way possible, and if you have other suggestions, please feel free to let me know.
Sample Use for this Class:
For example, we have Attendance System which is live for the past 4 years. Everyone will punch the in/out times. Some times, staff will forget to punch in or out ! So, I created a Screen to Enter Attendance Adjustments.
Of course, this screen need to be secured. Not any one can enter adjustment. Right ?
So, the HR Users requested me to provide the screen for 2 main User Roles:
- Application Admin: He can enter the adjustment for any Staff.
- Department Admin: He can enter the adjustment only for the staff who are in the same department of the user who is making the Data Entry.
Now, I have another application which is used to Display Staff Profile Info On-Line (eHRMD), such as Contact Info, Personal Info, Salary, Medical Lab Requests ...etc.
So, the HR Users requested me to provide extreme flexibility to allow Authorized Staff to view the Profile Data of other Staff based on predefined rules.
For example:
- Application Admin: Can view staff info of any other staff.
- Director: Can view all Staff Info EXCEPT Medical Data.
- Section Head: Can view all Staff Info EXCEPT Medical Data and Salary Data
...etc...
Database Design:
I decided to make the Database as follows:
Following is a Sample of each table above:
Application Security Class Implementation:
I decided to implement the class as follows:
- Class Name: AppSecurity
- Use Singleton Pattern: "appsec = AppSecurity.GetSingleton()" to get an instance of the class.
- Load the Tables above into DataSet only once during the Application Life in the Worker Process.
- Use CSLA .NET DataProtal Fetch method to load the Data. This is to make use of Mobile Business Object, when needed.
- Use DataRelation to relate the tables in the DataSet.
- To check for security, the the Application UI Code of the Attendance Adjustment Entry Screen, will do something like the following:
sub Page_Load(...) appsec = AppSecurity.GetSingleton() if (appsec.CanPerformAction(AppCodes.AtSys, UIElmCodes.UI001, UIElmActCodes.AC001) then ' Means can Enter Adjustment for All Staff. ' Yes, he is authorized, continue .. ' Setup the DataSource of the Screen to work with all Staff elseif (appsec.CanPeformAction(AppCodes.AtSys, UIElmCodes.UI001, UIElmActCodes.AC003) then ' Means can Enter Adjustment for only for Staff in the same Dept. ' Get the Dept. Code of the Loged In User. ' Filter the DataSource of the Screen to allow only working with ' Staff who are in the same Dept. of the Loged in user. else response.write("Access Denied or something like that." end if end subSample Code of the Class:
I am posting below the sample code of the class to clarify the concept:
I appreciate your feedback.
Tarek.
Nullable
Contributor
3974 Points
740 Posts
Re: Need your openion on developing a Security/Authorizaton Class.
May 26, 2008 01:49 PM|LINK
What your doing is probably what I would have done back in my PHP days... but this isn't what I would recommend as it doesn't lend itself well to scalability, and it's not easy to use.
Here is what I would suggest:
Those two items above are easy to do. You may want to take performance into account (meaning, don't forget not to databind a control if it's not going to be displayed... why waste all that performance).
Next, make a single static class that handles all of your business logic, and call it "BusinessLogicLayer", and put all of your functions in there such as "AdjustAttendance". Then, in the top of your "AdjustAttendance" method, double-check the current logged in users security access...
public void AdjustAddentance(...)
{
if (UserCanAdjustAttendance() == false)
{
throw new Exception("Access is denied!");
}
// ... put your code here ...
}
The "UserCanAdjustAttendance" method would look something like this:
public bool UserCanAdjustAttendance()
{
if (HttpContext.Current.User.IsInRole("Application Admin"))
{
return true;
}
if (HttpContext.Current.User.IsInRole("Department Admin"))
{
// here you'd have to check if the department being edited is under the current user... that's up to you :)
}
}
http://www.SingingEels.com/
Developer / Architect / Author
tarekahf
Member
143 Points
272 Posts
Re: Need your openion on developing a Security/Authorizaton Class.
May 26, 2008 10:30 PM|LINK
Nullable,
Thanks a lot for your reply.
In general, I agree with your approach. But, have you looked closely at the requirements of HR Users for Authorization ?
Enabling authorization using web.config and Allow/Deny rules is good to Allow or Deny Specific User/Roles to "Open" certain pages/links within the web site (with an option for Security Trimming", but using this technique "as-is" is not good enough. Why ? Because the logic also depends on further data to be retrieved from the Database.
Using web.config without further work also has additional problem: You have to hard-code the authorized Roles within the web.config, and hard-code the authorization rules also. In my approach, I am not hard-coding the Rules, instead, I am using predefined Keys to hard-code the meaning of the codes in the program, and allow the user to change the Mapping between the Roles and the Action Codes.
In order to defined the mapping between the Application Functions and User Roles outside the Program, you MUST do additional work. The .NET does not do this work for you. Please correct me if I am wrong. However, .NET gives something called "Membership Providers", where you can implement them in your program. This is exactly what I am trying to do. In the end, the Implementation of such Provider will have to call the functionality of the "AppSecurity" class which I mentioned earlier.
You may ask "Why I have encapsulated the Application Security in this AppSecurity Class ? Why not implement the Membership Provider directly ?". The answer is: "To allow developing a Web Service Wrapper for this class and enable other applications to use it for Authorization. Or, to compile it into a DLL, and allow all kind of supported UI Platforms to use it where needed."
Let us take a closer look at this authorization requirements:
- User is Authenticated and the Roles are loaded.
- The Attendance Application Starts.
- There is a link named "Enter Attendance Adjustments".
- This link can be used, for the time being, by 2 roles: "Application Admin", and "Dept. Admin". In the future, more roles can be added, and this should be the responsibility of the HR Admin, not the .NET Developer !.
- Security Trimming could be enabled and this will be an optional cool feature. But this requires the implementation of the Membership Provider. I still need some help in this area.
- If the user is a member of "Application Admin" Role, then he can enter the Adjustment for any Staff.
- If the User is a member of "Dept. Admin" Role, then he can enter the Adjustment only for the Staff who are in the same Dept. of the Authenticated user. This means, additional code is needed to lookup the Dept. Code of the Authenticated User, and use the Dept. Code to filter the list of Staff who will be accessed by "Attendance Adjustment" function.
And, I agree with you. I need to encapsulate the Business Logic in a Separate Class.
Here are my thoughts on how to do that:
- Develop a class named "AttendanceAdjustment" to represent the Attendance Adjustment Business Logic.
- This class will collaborate with the "AppSecurity" class to perform Authorization.
- The "AttendanceAdjustment" class will have the following sample methods:
- GetStaffList(): Will return a Strongly Typed Collection of Staff ID and Name who are subject for Adjustments as per the rules defined in the "AppSecurity".
- GetStaffAdjustmentData(StaffID as String): Will return a new object instance of "AttendanceAdjustment" class with of the Staff Adjustment Fields which need to be displayed on the Screen, and they must be bindable to the UI Elements.
- UpdateOrInsertStaffAdjustment(): Will use the changed member values of the object to be updated on inserted in the Database.
- Each of the above methods will have to call the "AppSecurity" class methods to enforce the Authorization Rules before executing any other code (like what you have mentioned earlier).
- In the UI, use the class "AttendanceAdjustment" to link the Business logic of this class with the Presentation Layer. In this case, the methods will be called to perform the required functionality triggered from the Presentation Layer via the UI Code which will be minimal coding.
Questions:
- Can you give me some hints on how to link the "AppSecurity" class with the "Membership Provider" Interface Implementation ?
- Do you thing there will be any problem in using the Singleton Pattern in this case ?
Your feedback will be appreciated.
Tarek.
Jahedx99
Member
501 Points
142 Posts
Re: Need your openion on developing a Security/Authorizaton Class.
May 26, 2008 11:09 PM|LINK
Just thought this was a good question. You should also insert records into the db tables for view/edit/modify for main content. It saves a lot of overhead later on. When building applicatoins with a seperate business layer it can get tricky. You are defining your business layer as a static rule in your database. This is a great idea, but remember as the project advances you are definately going have to change as usually the requirement changes. Make sure your presentation layer can handle changes in the business layer. Just wanted to voice my concern. Good luck.
www.progtalk.com
kcargile
Member
609 Points
123 Posts
Re: Need your openion on developing a Security/Authorizaton Class.
May 27, 2008 12:30 AM|LINK
Tarek,
There are several different patterns you can follow to do what it is you are trying to do, each with their own merits and drawbacks. Your requirement to potentially use your security object in other types of applications, however, is not a trivial one. I'd suggest you look at the IPrincipal/IIdentity approach, which is commonly used in web applications, is well proven, and will facilitate use of your object as a security principal in other types of applications (WinForms, remoting/web services, COM+, etc.) You can populate the object with data however you wish, and it will work well with the programmatic style role checking needs. At the very least, it would be worth your time to see if this approach fits the bill for you.
The MS documentation for the two interfaces can be found here (I'm assuming .NET 2.0):
http://msdn.microsoft.com/en-us/library/system.security.principal.iprincipal(VS.80).aspx
http://msdn.microsoft.com/en-us/library/system.security.principal.iidentity(VS.80).aspx
Information of varying levels of detail on exactly how to implement these interfaces and use the resulting class(es) is all over the Internet (search for "implementing IPrincipal" or some such variation), including a step-by-step walkthrough on MSDN:
http://msdn.microsoft.com/en-us/library/ms172766(VS.80).aspx
HTH
-k
||| http://www.kriscargile.com/blog/
tarekahf
Member
143 Points
272 Posts
Re: Need your openion on developing a Security/Authorizaton Class.
May 27, 2008 06:56 AM|LINK
Excellent ! I think we are now talking on the same frequency.
I have been reading and practicing on the new .NET Authentication and Authorization for the past several weeks. Also, I am following the CSLA .NET Framework which has custom implementation of both IIdentity and IPrincipal Interfaces. Check this link for details:
http://forums.lhotka.net/forums/thread/22529.aspx
While I am implementing this specific Authorization Requirements of the Attendance System, I will be taking care of the Aspects of .NET.
Do you agree with me that we have 2 different issues here:
- The Specific Custom Logic Needed to implement Authorization. That is, it is not enough to check if the user is a member of a given role, however, the Authorization Logic for Certain Functions "may" also need to check if the Authenticated User (who is also a Staff) is in the Same Department of the Staff whom the function is being applied on.
- The .NET Technical Aspects which is using IIdentity and IPrincipal Interfaces to achieve your Authorization Requirements. I think this is also not enough. These Interfaces will only Authenticate the User and Load the Roles assigned to him and make such information available to whole application. I think we need also to implement a Custom Membership Provider to take full advantage of the .NET Authorization Features. For example, if I want to enable Security Trimming based on the Custom Authorization Logic I presented earlier.
The reason why I am posting this topic here is to reassure about the following:
- My understanding of how to use the .NET Security Features is correct.
- If the approach I am following is correct with regards to the common practices for implementing security in .NET, taking into consideration the authorization requirements.
Tarek.
etariq
Contributor
2823 Points
514 Posts
Re: Need your openion on developing a Security/Authorizaton Class.
Dec 02, 2008 12:58 PM|LINK
why dont you create your owne custopm security class inherted from membership API
__________________________________________________
Please remember to click “Mark as Answer” on the post that helps you.
rami_nassar
Contributor
3608 Points
828 Posts
Re: Need your openion on developing a Security/Authorizaton Class.
Dec 02, 2008 01:08 PM|LINK
I was seeking for a class like this..... thanks tariq
Nassar, Rami (MCP, MCTS, MCPD)
My Blog || E-Mail
Don't forget to click "Mark as Answer" on the post that helped you.
tarekahf
Member
143 Points
272 Posts
Re: Need your openion on developing a Security/Authorizaton Class.
Dec 03, 2008 08:15 AM|LINK
This is exactly what I am doing.
etariq
Contributor
2823 Points
514 Posts
Re: Need your openion on developing a Security/Authorizaton Class.
Dec 04, 2008 09:04 AM|LINK
when your done with it Pass it over [:P]
__________________________________________________
Please remember to click “Mark as Answer” on the post that helps you.