Home/ASP.NET Forums/General ASP.NET/Data Scaffolding using ASP.NET Dynamic Data/Secure Dynamic Data Site

Secure Dynamic Data Site RSS

16 replies

Last post Feb 14, 2013 11:41 PM by mr41971

Dynamic Data Roles Permissions Security

See my blog C# Bits | Twitter @sjnaughton
Always seeking an elegant solution.
  • veloce

    veloce

    Member

    41 Points

    51 Posts

    Re: Secure Dynamic Data Site

    Nov 07, 2008 03:07 PM|veloce|LINK

    Steve, I want to thank you for your remarks. Please, feel free to modify my example and let us know what you can come up with.

    Remember that the two basic design principles I adopted are as follows:

    1.      Use ASP.NET Forms Authentication to discriminate the user's roles.

    Everything you do in terms of authentication such as modify permissions, if I understand you correctly, must be integrated I believe with ASP.NET authentication mechanism.

    2.      Use ASP.NET Dynamic Data to authorize authenticated users to perform tasks at lower level, tasks only understood by Dynamic Data. Probably the centralization of field security should be done at this level. May be you can expand on this: I'm still looking into a way of centralizing the Field Security.

    Thanks,

    Michael (aka veloce)

     

    This posting is provided "AS IS" with no warranties, and confers no rights.


    I blog at: Technical Notes

  • sjnaughton

    sjnaughton

    All-Star

    17894 Points

    5673 Posts

    MVP

    Re: Secure Dynamic Data Site

    Nov 08, 2008 01:04 PM|sjnaughton|LINK

    Yes I understand the principals have a look at this post Dynamic Data - Default FieldGenerator which I think could be the way forward for Field Security.

    [:D]

    Dynamic Data Attributes Based Permissions

    See my blog C# Bits | Twitter @sjnaughton
    Always seeking an elegant solution.
  • mdausmann

    mdausmann

    None

    0 Points

    2 Posts

    Re: Secure Dynamic Data Site

    Jul 10, 2009 10:38 PM|mdausmann|LINK

    Hi

    Thanks heaps for sample, I have implemented on my site and it works ok.  I had a couple of questions.

    Delete is only available for the role tagged as 'administrator' How would I go about allowing other user roles to have delete access on certain tables?  I tried adding the 'Delete' action in attributes but it didn't work.

    [Security(Role = "Anonymous", Action = "AnonymousList")]
    [Security(Role = "Developer", Action = "List")]
    [Security(Role = "Developer", Action = "Details")]
    [Security(Role = "Rule Author", Action = "List")]
    [Security(Role = "Rule Author", Action = "Details")]
    [Security(Role = "Rule Author", Action = "Edit")]
    [Security(Role = "Rule Author", Action = "Delete")]
    public partial class BehaviourDocument
    {

    }

    Michael

  • sjnaughton

    sjnaughton

    All-Star

    17894 Points

    5673 Posts

    MVP

    Re: Secure Dynamic Data Site

    Jul 11, 2009 04:43 AM|sjnaughton|LINK

     Hi Mdausmann, I'll have a look at my sample and get back you.

    Dynamic Data

    See my blog C# Bits | Twitter @sjnaughton
    Always seeking an elegant solution.
  • sjnaughton

    sjnaughton

    All-Star

    17894 Points

    5673 Posts

    MVP

    Re: Secure Dynamic Data Site

    Jul 11, 2009 05:02 AM|sjnaughton|LINK

     Hi Mdausmann, in this sample from Veloce, you have to be admin to get delete facility you will need to look at the test on each page e.g. List page:

    // Enable delete button only to allowed users.
    private void SetDelete(TableRow row)
    {
        // Instantiate the SecurityInformation
        // utility object.
        DynamicDataSecurity secInfo =
          new DynamicDataSecurity();
    
    
        foreach (Control c in row.Cells[0].Controls)
        {
            // Deny delete capability to users that are
            // not administrators
            if (!secInfo.IsUserInAdmimistrativeRole() &&
              secInfo.IsUserInAuthenticatedRole())
            {
                // Do not allow delete.
                LinkButton btn = c as LinkButton;
                if (btn != null &&
                    btn.CommandName ==
                    DataControlCommands.DeleteCommandName)
                {
                    btn.Visible = false;
                    btn.OnClientClick = null;
                    btn.Enabled = false;
                }
            }
        }
    }

    if you note the statement:

    if (!secInfo.IsUserInAdmimistrativeRole() &&
              secInfo.IsUserInAuthenticatedRole())
    


    you will need to change the !secInfo.IsUserInAdmimistrativeRole() to some other test the will test that will check for a role with delete.

    Hope that makes sense [:D]

    Dynamic Data Securing Dynamic Data

    See my blog C# Bits | Twitter @sjnaughton
    Always seeking an elegant solution.
  • zzdfc

    zzdfc

    Member

    38 Points

    167 Posts

    Re: Secure Dynamic Data Site

    Jul 12, 2009 10:32 AM|zzdfc|LINK

    The example of a Secure Dynamic Data Site Use CustomDynamicDataRouteHandler to achieve security,but how to transport data of session to CustomDynamicDataRouteHandler? I need transport custom logined user infomation to CustomDynamicDataRouteHandler.

    Thanks.

  • sjnaughton

    sjnaughton

    All-Star

    17894 Points

    5673 Posts

    MVP

    Re: Secure Dynamic Data Site

    Jul 12, 2009 11:16 AM|sjnaughton|LINK

     Hi Zzdfc, I'm working on a simplified sample based on Veloces work, I should have part 1 ready early this week.

    Dynamic Data Securing Dynamic Data

    See my blog C# Bits | Twitter @sjnaughton
    Always seeking an elegant solution.
  • zzdfc

    zzdfc

    Member

    38 Points

    167 Posts

    Re: Secure Dynamic Data Site

    Jul 14, 2009 09:41 AM|zzdfc|LINK

     Hi sjnaughton:

           I have read your article "Securing Dynamic Data Preview 4 Refresh – Part 1",but it don't demo how to transport  session data to CustomDynamicDataRouteHandler? I need transport custom logined user infomation to CustomDynamicDataRouteHandler,example:

    Roles 、Permissions  and orgnization of the logined user.

  • sjnaughton

    sjnaughton

    All-Star

    17894 Points

    5673 Posts

    MVP

    Re: Secure Dynamic Data Site

    Jul 14, 2009 09:56 AM|sjnaughton|LINK

     Hi Zzdfc, I'm not sure I understand what you are trying to do, could you explain in a little more detail and I will try to create a sample that demostraits it.

    Dynamic Data Securing Dynamic Data

    See my blog C# Bits | Twitter @sjnaughton
    Always seeking an elegant solution.
  • zzdfc

    zzdfc

    Member

    38 Points

    167 Posts

    Re: Secure Dynamic Data Site

    Jul 14, 2009 11:58 AM|zzdfc|LINK

    public class SecurityDynamicDataRouteHandler : DynamicDataRouteHandler
        {
            public override IHttpHandler CreateHandler(DynamicDataRoute route, MetaTable table, string action)
            {
               
                HttpContext httpContext = HttpContext.Current;
                string userName= httpContext.Session["UserName"].ToString();
                string userID= httpContext.Session["UserID"].ToString();
                string isAdmin= httpContext.Session["IsAdmin"].ToString();
                if(isAdmin==true)
               {
                       .........
                }
                else
               {
                  .........
                }

                 return null;

            }
        }

    but data of httpContext.Session alaways is null,how to do?

    thanks.

  • sjnaughton

    sjnaughton

    All-Star

    17894 Points

    5673 Posts

    MVP

    Re: Secure Dynamic Data Site

    Jul 14, 2009 12:39 PM|sjnaughton|LINK

     OK I get what you mean now I'll have a look into it and see if anything can be done.

    Dynamic Data Securing Dynamic Data

    See my blog C# Bits | Twitter @sjnaughton
    Always seeking an elegant solution.
  • sjnaughton

    sjnaughton

    All-Star

    17894 Points

    5673 Posts

    MVP

    Re: Secure Dynamic Data Site

    Jul 15, 2009 06:26 AM|sjnaughton|LINK

     Hi Zzdfc, I've just tested it on my sample and I get Session populated, I think it may be when you are setting the session, but why are you using Session anyway?

    If you e-mail me I can give you my sample working.

    Dynamic Data Securing Dynamic Data

    See my blog C# Bits | Twitter @sjnaughton
    Always seeking an elegant solution.
  • zzdfc

    zzdfc

    Member

    38 Points

    167 Posts

    Re: Secure Dynamic Data Site

    Jul 15, 2009 10:55 AM|zzdfc|LINK

    Hi sjnaughton:

          I hope get your sample of  session,thank you very much!

           I use session to save user's permissions 、roles and infomation because user's permissions 、roles and infomation is from database, not is from attributes and metadata.

           I don't know if it have else method to save data in entire session lifecycle.

     

           In my program, I get session populated in first page,but session is null when it turn to list.aspx、detail.aspx、edit.aspx,I have tested many times.

     

     

                                                                 Thanks!

  • sjnaughton

    sjnaughton

    All-Star

    17894 Points

    5673 Posts

    MVP

    Re: Secure Dynamic Data Site

    Jul 15, 2009 02:11 PM|sjnaughton|LINK

     At first I tried populating the session variable in the Login page but then the Session was empty so I decided to get them in the page that I get reirected to I think you need to force the session to be populated on a new page otherwise session will be empty.

    Dynamic Data Securing Dynamic Data Session

    See my blog C# Bits | Twitter @sjnaughton
    Always seeking an elegant solution.
  • mr41971

    mr41971

    Member

    18 Points

    187 Posts

    Re: Secure Dynamic Data Site

    Feb 14, 2013 11:41 PM|mr41971|LINK

    I am still struggling with securing my DD site. Is there a simpler tutorial for simpler minds like mine to follow.  I don't know what I am not doing or doing wrong. Following your tutorial I have gotten this error msg:

    error CS0246: The type or namespace name 'SecureDynamicRouteHandler' could not be found (are you missing a using directive or an assembly reference?)

    I am at the brink of shooting my self.

    Please save a life.

    Permissions

  • ‹ Previous Thread|Next Thread ›