tags:

views:

152

answers:

4
+1  Q: 

Am I wrong in wanting to roll my own Authenticate / Authorize system given the following requirements?

In my pet project I want to have a user system with the following requirements:

  • It needs to work with Db4o as a persistance model
  • I want to use DI (by means of Turbine) to deliver the needed dependencies to my user model
  • It needs to be easy to plug in to asp.net-mvc
  • It needs to be testable without much hassle
  • It needs to support anonymous users much like SO does
  • I want Authentication and Authorization separated (the first can live without the second)
  • It needs to be safe

I'm aware I'm putting a few technologies before functionalities here, but as it is a pet project and I want to learn some new stuff I think it is reasonable to include them as requirements.

Halfway in rolling my own I realized I am probably suffering some NIH syndrome.
As I don't really like how needlessly complex the existing user framework in asp.net is, it is actually mostly only all the more complicated stuff regarding security that's now giving me some doubts. Would it be defendable to go on and roll my own? If not how would you go about fulfilling all the above requirements with the existing IPrinciple based framework?

+1  A: 

If you go ahead and create your own custom solution, you will have a better idea of how difficult it is and what features you want. This will help you to evaluate off-the-shelf solutions for future projects.

OTOH, spending time developing functionality that is already readily available means you won't be spending that time working on the major functionality of your project. Unless authentication and authorization are a major component of your project, you might consider investing your time, and expanding your knowledge, in another area.

DOK  2009-12-07 14:07:50
Seeing it is a pet project, "learning" is the major functionality ;)I'm using the existing framework at work already and I find it too generic in most cases. I understand it is meant to be one-size-fits all, but for some reason it never feels snug to me.
borisCallens  2009-12-07 14:32:15
I agree with you about the Membership provider being too generic. Not only that, I have found it very difficult to customize. I would avoid it on any non-trivial project. I'd still evaluate whether learning more about authentication and authorization is worth more to you than learning about something else. If you haven't done much with it, this is a great opportunity to learn and experiment.
DOK  2009-12-07 14:55:39
+4  A: 

It sounds to me like what you want to do is roll your own Custom .NET Membership Provider.

It will allow you to use the built-in ASP.NET Authentication/Authorization attributes on your Controller Actions while giving you complete control over the implementation inside the provider (which will allow you to code it to meet the requirements stated above).

Direct from MSDN...

Implementing a Membership Provider

Justin Niessner  2009-12-07 14:09:12
Thanks for the link. That might be a solution that allows me have my cake and eat it too.
borisCallens  2009-12-07 14:29:31
Also, I found this: http://www.codeplex.com/db4oProviders
borisCallens  2009-12-07 14:34:50
@boris That definitely looks interesting. Might be something to take a look at as I'm guessing it misses out on a couple of your requirements. The fact that it needs to be run in a full trust environment might make me hesitate if you ever want to distribute the app...
Justin Niessner  2009-12-07 14:38:26
The problem is that however you implement it, if it's going to need db4o, it will always be full trust. Unless I host the db4o somewhere different (my own machines?) I think it will be inevitable.
borisCallens  2009-12-07 14:48:52
as a side note: what do you mean with Authentication/Authorization attributes? As far as I'm aware they are one and the same in the current architecture (that's one of the things I'm not 100% comfortable with)
borisCallens  2009-12-07 14:50:17
They're rolled in to the same attribute, yes. Sorry for the confusion. The two aspects are handled seperately by your provider though. An empty [Authorize] just states that the user needs to be Authenticated to call the Action. Provider Roles in the attribute is how you handle Authorization. Personally, I think this makes thing look cleaner and easier to understand in the code base (you don't have anybody having Authorize without a matching Authenticate, etc.)
Justin Niessner  2009-12-07 14:56:46
You are probably right. From an architectural POV I would prefer them separated, but usage would dictate them to be together.
borisCallens  2009-12-07 15:14:57
+1  A: 

I think you recognize where the thin parts in your consideration are: namely in that you've included how to do what you're doing as motive in why you're doing it and the NIH (funny: I'd never seen that before) issue.

Putting those aside, your provider is something that you could potentially reuse and it may simplify some of your future efforts. It should also serve to familiarize you further with the issue. As long as you understand the ASP.NET framework so you can work with it too if you need to (and aren't specialized such that you don't know what you're doing if you're not using your tool) then I believe you've already crafted your defense.

As DOK mentioned, be cautious that you're not rolling your own here to avoid a larger task at hand in whatever your other functionality is. Don't let this be a distraction: it should be something your application really needs. If it's not, then I'd lean towards focusing on your software's core mission instead.

antik  2009-12-07 14:20:29
+1  A: 

I too am working on a pet Project using ASP.net MVC and db4o and did the same thing, so you're at least not alone in going down that route :). One of the biggest reasons for me to start playing around with db4o as persistence layer is that especially authorization on field level (i.e I'm allowed to see Person A's first name but not Person B's first name) is though to achieve if you're forced into complex SQL statements and an anemic domain model.

Since I had complex authorization needs that needed to be persisted (and synchronized) in both db4o and Solr indexes I started working on rolling out my own, but only because I knew up front it was one of the key features of my pet project that I wanted 100% control over.

Now I might still use the .Net Membership provider for authentication but not (solely) for authorization of objects but only after i POC'd my authorization needs using my own.

Martijn Laarman  2009-12-07 14:30:41
What do you mean with POC'ing authorization needs? All them TLA's ;)
borisCallens  2009-12-07 14:46:26
My bad, damn us programmers and our TLA's (i had to google TLA btw (by the way) ;)). POC == proof of concept.
Martijn Laarman  2009-12-07 15:02:28
Damn, should have figured that one out. Or maybe a quick lmgtfy would've sufficed ;)
borisCallens  2009-12-07 15:12:51

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication