Noffke.com

OBJECTIVE

Implement a standard security mechanism based on the recommended Microsoft SQL Server provider for use in a custom asp.net web application.  The diagram below is helpful to understand where this component lies in the overall solution design.

This visualization shows how the security of an application can be implemented across the standard layers of an application.  It’s taken from the 2^nd edition of the .Net Application Architecture Guide which is a solid point of reference for implementing our Microsoft based solution.

There are two primary points of focus in securing the application:  Authentication and Authorization.  We need to know that users are who they say they are through authentication. We need to control access to those components that the user is granted access to via authorization.  Each of these is discussed in detail below in how they can be implemented and leveraged to meet our needs.

Authentication

When configured within an application, users are prompted to authenticate.  This is easily implemented in an asp.net solution via settings in the web.config.  This sample code below shows the basic structure used to set the base attributes.


<authentication mode="Forms">
…
</authentication>


Clearly this is not all that is necessary, although it’s already shown that the Forms mode will be easier to use in implementing an extensible authentication process.  This is the first departure from the default settings.

In order to address what underlying process is used to manage the users of the website, we need to implement a provider.  In our Microsoft SQL Server based solution, it is straight forward to leverage the SQLMembershipProvider, more on this in a moment.

Authorization

Once the user has been identified as who they represent themselves to be, we inevitably will need to determine their privileges.  Fortunately we have another simple structure that can be used to implement this within the web application.


<authorization>
<deny users="?"/>
<allow roles="Administrators"/>
</authorization>


This straight forward structure can be used to secure access to entire files and directories.  Similar to the first provider, we can use the SQLRoleProvider to assist in our handling of user authorization.

SQL Membership and Role Providers

When we are ready to store users in our SQL database, all that needs to be done is to run the aspnet_regsql.exe installation program.  What is created is a set of tables and stored procedures that are used by our providers.

The foundations are nearly in place with the creation of the database structures.  To utilize them within our solution, we’ll need a few more lines of code in our web.config.


<membership defaultProvider="OurMembershipProvider">
<providers>
<clear/>
<add name="OurMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
…
/>
</providers>
</membership>
<roleManager defaultProvider="OurRoleProvider">
<providers>
<clear/>
<add name="OurRoleProvider"
type="System.Web.Security.SqlRoleProvider"
…
/>
</providers>
</roleManager>


With these settings in place we can now make use of the core methods of the providers that we are implementing.  The primary Membership provider method is ValidateUser, while the Role provider would rely on using the IsUserInRole method.  Various other methods can be used to manage the users and roles within the application, all relying on the standard features provided.

Should this simple approach proved incomplete, a custom provider class structure can be created to override and implement the base level behavior, and must implement a core set of methods, although the application can choose to not utilize these features.

Concerns

Three concerns with the use of a pre-defined solution as described above have been noted.  This are briefly addressed below:

• There is only a practical limit to the number of roles that can be utilized, and there is not an inherent flaw in the design that limits the return of only one role.  For example, the SQLMembershipProvider implements a GetRolesForUser method.
• Changes to the database structure, like moving the tables and stored procedures to a different naming convention can be achieved by implementing a pair of custom providers that would them only be similar to the methods of the SQL provide methods.
• Limitations of groups and roles are only limited to the need for complex relations of user base.  The concept of a hosting domain as mentioned implies that integrated windows authentication is used.  This is different than forms based authentication and be configured independently.

Conclusion

Using the simple .Net framework provided solution has several benefits.  It was confirmed to meet the business requirements that have been documented outside of this analysis, minimizes custom application development and maintenance, as well as time savings.