tags:

views:

64

answers:

3
+2  Q: 

Design Patterns for security and data access control

Hi,

Having recently discovered design patterns, and having acquired the excellent Head First Design Patterns book (can really recommend it!), I am now wondering about design patterns for security and controlling access to records in data stores.

My use case is a bespoke CRM style application, with contacts, businesses, and users who have different levels of access, including being limited to read only access, or even a subset of records. I will only be doing distinct entity level access control, not field level.

Can anyone recommend any security orientated design patterns that would fit the above?

If it makes a difference, I am using ASP.Net MVC, Entity Framework 4 and SQL Server 2008.

A: 

Hi, Security is what we call Cross-cutting concern and it's never easy deal with.

If you need to deal with the security from ASP.NET MVC level you would consider to look at MVC tutorial :

http://www.asp.net/learn/mvc/

If you want to know more about the security from the domain model level, an interesting question was already asked :

http://stackoverflow.com/questions/627945/ddd-user-security-policies

Hope this helps

Thomas Jaskula  2010-03-30 08:26:15
+1  A: 

There does exists a group of patterns realted to security, though most of them fucuses on securing integrated systems. I have found no book that is as well written and usable as GOF/Head-first, though I did enjoy the one online at www.securitypatterns.org.

Security is as much about architecture (sever setup, network topology...) as its about programing, so I would recommend that you start out with a general security book. Also pick up a book specifically on .NET/Windows security, since robust security programming is very technology specific (I, as UNIX/Java programmer, will have a completly different toolbox than a .NET programmer and can unfortunatly not help you with a book on this last subject).

Lars Tackmann  2010-03-30 08:35:54
I am well versed in system security in general, all I am after here are design patterns for handling user to entity level security either in the DAL or at the repository level. How to structure the user to entity permission mappings and how to handle those mappings when retrieving data for given users et al.
Moo  2010-03-30 08:48:00
A: 

A good place to start on security (although not necessarily a "security design patterns" book) is Ross Anderson's Security Engineering.

Frank Shearar  2010-03-30 08:45:41

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security