tags:

views:

37

answers:

2
Q: 

Best way to implement multiple roles and permissions in c# web app?

Hi

I want to implement roles and permissions on a web app we have created and I am looking at using System.Web.Security.SqlRoleProvider to implement this. My problem is that each client will want to be able to configure who can and cannot perform actions in the system and no two clients will want the same, so creating basic Admin, User, Manager roles to cover all won't suffice.

What I am proposing to do for each screen is create roles as follows 

Screen1Create, Screen1Update, Screen1Delete, Screen1Read
Screen2Create, Screen2Update, Screen2Delete, Screen2Read

and so on.

I would then allow the client to select the roles per user, which would be stored in a cookie when the user logs in.

I could then read the cookie and use user.isinrole to check if each method can be called by the current user.

I realise there is a size constraint with cookies that I need to be aware of. Apart form that, does this sound feasable, is there as better way to do it?

Many thanks for any input.

A: 

Remember that cookies are user-supplied inputs, so if you're going to store the privileges of users in cookies, you must use a keyed hash function (such as HMAC-SHA256) to make sure that users do not grant themselves additional permissions.

Or, if you store all the permissions in your database, it'll be persistent across client computers and you won't need to validate its integrity every time you wish to use it.

sarnold  2010-08-05 10:21:45
A: 

Really if you want to program this all yourself to the cookie level you're risking opening security holes. The way to do this is with forms authentication combined with role based authorization. Asp.net will give the user a tamperproof cookie.

If you implement roles you can then easily mark methods:

 [PrincipalPermission(SecurityAction.Demand, Role="Screen1Create")]

or use code to see if someone is in a particular role.

Lots of info: http://weblogs.asp.net/scottgu/archive/2006/02/24/ASP.NET-2.0-Membership_2C00_-Roles_2C00_-Forms-Authentication_2C00_-and-Security-Resources-.aspx

Arnoud  2010-08-05 10:43:18
Thanks for the link.Yes this is the way I envisage implementing the role/permission check. I want to minimize the number of times I hit the database so I want to use an encrypted cookie. The values in this cookie will be added at login. Do you think this is the best way to get the flexibilty of the level of permissions requried into my app?
 2010-08-05 11:36:49
Yes it is absolutely the best way. It's pretty easy to setup too: just mark methods with the principalpermission attribute to be sure no one who isn't supposed to can call it (they'd get a security exception). Then just check someone's roles to disable buttons for example.Roles are stored in HttpContext.Current.User so you won't have to hit the database each request.An example of forms based authentication with roles: http://www.codeproject.com/KB/web-security/formsroleauth.aspx
Arnoud  2010-08-05 11:49:17

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?