tags:

views:

149

answers:

3
+1  Q: 

Intranet Web Application Security

Using Active Directory / Windows Integrated authentication is a given. From a development standpoint, what is the best way to consume this?

Is it through configuration?

<location path="SecurePage.aspx">
    <system.web>
     <authorization>
      <allow roles="MyDomain\My Secure Users" />
      <deny users="*" />
     </authorization>
    </system.web>
</location>

Is it through code?

User.IsInRole(@"MyDomain\My Secure Users");

Is it a good idea to store this in a database? So granting new users/groups can be done via a custom application? (I ask this because this is the status quo.) What is wrong with this idea?

A: 

If its not going to change much, use the web.config.

If it is going to change a lot then use the code method but with a database to make it easily modifiable.

More a general answer to coding practices rather than related to security.

Robin Day  2009-03-03 17:41:51
+1  A: 

There is no reason you can't use both. Doing through the web.config is really simple and effective. Always operate at the role level though. You use the code version for scenarios where you have an use where the config isn't enough, and also when you want to display/hide specific parts of the UI (there are also controls version of this).

Update 1: You already have supports for the roles, so I assume the database is to actually map roles to features. Asp.net built-in support and the extensibility points it supports are at the role level. If you really need to be full dynamic, then you need to do the check at the code level (the .config operates on roles). It is a matter of the extra effort it takes, so it depends more on the size of the system. For most cases sticking with roles is enough.

eglasius  2009-03-03 17:52:20
+1  A: 

I personally prefer a declarative approach (i.e. the location-based web.config approach). This makes it easier to make changes when necessary without requiring redeployment of code.

Under no circumstances do I recommend calling User.IsInRole() with a static string as you do in your example; use the web.config declarative approach if your auth doesn't change.

Going the route you suggest in your last paragraph is perfectly fine, but I would only recommend it for situations where your auth information is likely to change frequently, i.e. for CMS applications or similar ilk.

In short, I don't think there's a "best practice" on the subject; it really depends on the application.

Randolpho  2009-03-03 17:52:56

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps