tags:

views:

33

answers:

1
Q: 

Entity Framework Security

In my organization, we are just beginning to use the Entity Framework for some applications. In the past, we have pushed developers to utilize stored procedures for all database access. In addition to helping with SQL injection, we tried to grant logins access to stored procedures only to keep security relatively tight.

Although inserting, updating, and deleting are easily done through stored procedures in the EF, it appears to be difficult to use stored procedures to query data with EF. However, using LINQ or Entity SQL and allowing EF to create the queries means giving a user read access to the entire database.

How have others handled this dilemma?

+2  A: 

What kind of data protection are you trying to apply?

With EF, you can write a unit testable business logic layer that will handle many more authorisation scenarios than you can do at the database layer (although I can see how multiple layers of security makes you feel safer):

  • Querying AD (is this user the manager of that user?)
  • Calling web services
  • Checking other environmental contexts

If your circumstances mean you're not ready to think of the database as a store for data rather than a security & business logic layer, then maybe EF isn't right for your project.

P.S. EF will protect you from SQL injection.

Rob Fonseca-Ensor  2010-04-26 20:01:46
Quite right. After reviewing some of the security practices I was using for reading data from the database, I determined they were not providing any *true* security.
NYSystemsAnalyst  2010-05-18 13:06:17

related questions

Entity diagrams in ASP.NET MVC
Aging Data Structure in C#
.NET 3.5 Service Pack 1 causes 404 pages on ASP.NET Web App
How do I make a custom .net client profile installer?
.NET 3.5 SP1 and aspnet_client Crystal Reports
Can I create a ListView with dynamic GroupItemCount?
N2 CMS
Conditional Linq Queries
LINQ query on a DataTable
Asynchronous Remoting calls
Using EF Entity as DTO Object
WPF: How to style or disable the default ContextMenu of a TextBox
C# 2.0 code consuming assemblies compiled with C# 3.0
Using C#/WIA version 2.0 on Vista to Scan
Has anyone run performance benchmarks comparing LINQ
Beginners Guide to LINQ
Extension interface patterns
C# 3.0 Where extension method with lambda vs LINQtoObjects to filter in memory collections.
Upgrade to ASP.NET 3.x
Where can I get the Windows Workflow "wca.exe" application?
LINQ on the .NET 2.0 Runtime
Is nAnt still supported and suitable for .net 3.5/VS2008?
How do you page a collection with LINQ?
How do I get a distinct, ordered list of names from a DataTable using Linq
How do I fill a DataSet or a DataTable from a LINQ query resultset ?