Last post Dec 31, 2010 05:21 AM by mm8
Dec 20, 2010 04:48 AM|mm8|LINK
If I have an ASP.NET MVC application using a business layer to validate data before saving it to a database, should I then have the security checks (i.e. who has permission to save) in the business layer or in the ASP.NET application? I can set Authorize-attributes
on the controller actions but should I also in business layer check that the user has the right permissions?
public bool SaveSomething(Object o)
If doing so, I guess I have to make an extra roundtrip to the database...?
Dec 20, 2010 05:31 AM|ignatandrei|LINK
in the business layer is where you should do.
You can add later in other layers(GUI) for fastening the application.
Dec 20, 2010 10:27 AM|sachingusain|LINK
Yes, you must do it in business layer. That's the layer that is defining all rules for your application.
Dec 20, 2010 11:45 AM|mm8|LINK
How would the application get faster if I still have to do the validation in the businesslayer? Also, how do I make use of the MembershipProvider used in the web application in the business layer? I want the business layer to work regardless of there is
an asp.net or a WPF application as UI so I guess I can't call HttpContext.Current.User from the BL?
Dec 20, 2010 02:49 PM|atconway|LINK
I want the business layer to work regardless of there is an asp.net or a WPF application as UI so I guess I can't call HttpContext.Current.User from the BL?
No but all 'HttpContext.Current.User' does is return an object that implements System.Security.Principal.IPrincipal which you could pass down through the layers and remain application type agnostic.
Dec 21, 2010 06:28 AM|mm8|LINK
Don't really see how you mean..What code should I call in the BL to find out which user is currently making a request no matter if the request comes from a web application or a WPF application?
Dec 21, 2010 10:36 AM|atconway|LINK
You might not have a method identical to this because you probably wouldn't pass the type directly in (might be a property or security object of its own), but it shows you how you can use the code:
Public Sub DoSomething(ByVal MyValue1 As String, ByVal UserContext As System.Security.Principal.IPrincipal)
If UserContext.Identity.IsAuthenticated Then
If UserContext.Identity.Name = "SuperDuperAdmin" Then
...and sample calling code say in an ASP.NET instance:
'Pass in the 'HttpContext.Current.User' object which implements the IPrincipal Interface
Remember that as long as the security context type implements the IPrincipal interface you will be able to use the type to check security regardless of the application type. Interfaces don't care about the implementation details, just that the type adheres
to the Interface itself.
Dec 21, 2010 11:02 AM|mm8|LINK
This requires me to pass HttpContext.Current.User from the ASP.NET application. I would prefer not to pass anything regarding security at all but to simply do the check in BL. Is this possible? Also, as of now I am setting the objectProviderKey of the MembershipUser
to the id of the user once he has logged in. How do I retrieve this value in the Business Layer a scenario like this?
Dec 22, 2010 07:05 AM|Saravanan M|LINK
PrincipalPermissionAttribute Class allows security actions for PrincipalPermission to be applied to code using declarative
Could be like this,
[PrincipalPermission(SecurityAction.Demand, Role = "Administrators")]
Public void DoSomething1()
[PrincipalPermission(SecurityAction.Demand, Role = "Users")]
Public void DoSomething2()
Dec 23, 2010 04:24 AM|mm8|LINK
How are the roles defined? How does it for example check if the current user is in role "Administrators"?
Dec 23, 2010 04:40 AM|Saravanan M|LINK
How to: Restrict Access with the PrincipalPermissionAttribute Class.
Dec 23, 2010 08:38 AM|mm8|LINK
The link is broken.
Dec 24, 2010 04:19 AM|Saravanan M|LINK
Here it is, http://msdn.microsoft.com/en-us/library/ms731200.aspx
Dec 31, 2010 05:21 AM|mm8|LINK
I guess using PrincipalPermission is basically the same thing as doing this inside the method; if(!Thread.CurrentPrincipal.IsInRole("role")) throw new SecurityException();