Authentication and authorisation in an n-tiered architecture

views:

114

answers:

+2 Q:

Authentication and authorisation in an n-tiered architecture

Hi,

I need to be able to tighten my business layer - access to particular data. The UI can make a call to the business layer and receive a userdetail. The UI can then call .Save() on a user and the business layer will call the data access layer to save the user.

Although, the problem here is that I don't just want any user to be able to receive a userdetail and call save - only authenticated users with that role of "admin". How would I go about this authentication/authorisation in my business layer/UI so I can achieve this?

I am using ASP.NET for my UI, and I've read into membership/role providers, but this just seems to be for the actual UI. I need to secure it at my business layer because in the future there could be a couple of different UI's. e.g. windows forms and Asp.net.

Thoughts and suggestions are appreciated.

Thanks.

The ASP.NET Role / Membership providers include storage and code level components you can re-use - they aren't just the UI.

For fine-grained access control (for example to specific functionality on a page) you can use the Enterprise Libraries. You'll be able to re-use code to protect functionality both at the BL layer and in the UI layer.

The link you most want is this one: Determining Whether a User Is Authorized to Perform a Task

Also see:

During earlier releases of the EntLibs, the Authorization Manager was a key component, but in more recent versions it's not a firm requirement, instead you can use an AuthorizationRuleProvider. see: Developing Applications Using Windows Authorization Manager.

Filtering data is a bit more problematic depending on the complexity of your data, the amount of it and performance needs.

One strategy is to have a simple DAL that returns everything, and prune out data the current user isn't allowed to see in the BL.
Design a DAL that has some knowlegde of the roles your application uses: DAL.GetCustomersForAdmin() and DAL.GetCustomersForMember() But this is a bit dangerous as you'll be tied to using those roles.
Have a database / DAL that is security aware, and always returns only the data the user is permitted to see, via the same methods: DAL.GetCustomers()

Adrian K 2010-07-19 00:29:35

I think this is what I want. It does look complex though

Mike 2010-07-19 01:11:52

A lot of things look complex from the outside - but aren't so bad once you're in; and once you're up to speed you can re-use it anywhere - the first time might be slow, but subequent use's will be much faster.

Adrian K 2010-07-19 01:58:42

+1 A:

Another approach you might want to research (if developing in .NET 3.5 / 4.0) is using Windows Identity Foundation.

If you are insterested in keeping your authorization logic outside your web site (which I assume you would if you are expecting to use your business layer from more than 1 front-end) I would definitely recommend yaking a look at WIF. You can also integrate with Active Directory using ADFS v2.0 (which is a server role in Windows Server 2008 R2).

Patterns & Practices has released a guide which can be quite useful for digging into the subject.

Anero 2010-07-19 00:39:07

ansaurus

tags:

views:

answers:

Authentication and authorisation in an n-tiered architecture

related questions