tags:

views:

90

answers:

1
Q: 

Complex solution for maintaining role-based security

In my future web application there would be many user roles. Depending on user's role, webapp should restrict users's access to certain pieces of information. I need to implement following features:

  • depending on role, user should see only columns and rows (in data grid) that are available for current role and user
  • depending on role, user should view page in readonly or in editable mode
  • depending on role, user should have visible/hidden some controls on a web page

In my previous applications (that were pretty simple) such problem was solved using many conditionals operators in codebehind files and in markup files also. It was quite difficult to maintain such code.

I'm wondering are there any complex solution for maintaining role-based security for all levels of apllication (data, logic, view) without messing up code with IFs.

ps both, solutions for java and .net platforms are interesting

A: 

Regarding point 1: You can implement that by encapsulating your data access and filtering loaded rows to match the current user's account / the current user's role.

I've implemeented this and a similar mechanism for preventing write access to rows from other users in my data layer, which saves me of having to write read write access security checks in the business layer.

Adrian Grigore  2009-09-02 08:03:27
And how did you implement it in DAO?not like: ?if (userRole == 'admin') {}if (userRole == 'role1') {}..if (userRole == 'role') {}still there is a problem how to render view depending on role
kilonet  2009-09-02 08:20:50
My data layer is based on LinqToSQL and for the reads I ad a simply where clause to restrict results to rows belonging to that particular user. The writes are a bit more complicated and my approach would not work without Linq, but perhaps you could approach this by adding an additional where clause to your update / delete queries as well to restrict database operations by row owner.
Adrian Grigore  2009-09-02 10:06:30

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security