Форум

Сообщения, созданные пользователем JatApp
14 июля 2021 13:11 [ON MODERATION]
There are limitations in the role model of ASP.NET authorization for content management systems. The problem lies in defining the critical set of roles. Both ways that are available to developers have their own drawback that can be easily avoided when the security system administrator and the developer are the same person, or they work in the same office. However, if they are spread around the world, as in the case of software development website outsourcing, the problem needs a different solution. Let’s take a deeper look at the problem.



When a user registers on a Web site, he or she gets identification data – a login and password - that gives access to additional benefits provided by the Web site.

From the standpoint of developer, the process of giving benefits to registered users is divided into two sequential steps: authentication and authorization. During the authentication process, the system verifies whether the user is who he claims he is. During the authorization process with dedicated development team, the system gives the user permission to do something or have something. The effectiveness of the implementation of these steps is essential for the effectiveness of the entire security system of the Web site. Let’s examine authorization in more detail.

During the authorization process, the system matches the user name with a subset of opportunities available to this user on the Web site. This is done with the help of a particular entity that allows you to match the subset of opportunities with several users at once, uniting users on the basis of equal rights. The entity is called a role or a group of users.

There is a set of tools for defining the list of additional opportunities for registered users, made available to the ASP.NET developer:
  • • Configuration file (web.config) allows you to limit access at the level of subdirectories and files by using the configuration sections <authorization> and <location>;
  • • PrincipalPermissionAttribute allows you to limit access at the level of the method call or properties of classes;
  • • PrincipalPermission class allows you to limit access at the level of code snippets within a method or a property;
  • • IPrincipal interface allows you to limit access to code snippets by using the IPrincipal.IsInRole method call.

Using a variety of tools, the developer places method and attribute calls within a configuration file and Web page code. Names of roles with a defined action are used as the input parameters. It is also necessary to have a list of all the roles supported in our it support services by the system for running a security system. The type of repository does not matter in this case.
Here is the problem. Which of the two sets of roles is critical? The one that is scattered in the code as the input parameters, or the one that is in the repository of roles? In the first case, the security system administrator has to scan the code before filling in the repository of roles to catch the names of all roles used as the input parameters. In the second case, developer must be sure that the names of roles are consistent throughout the lifetime of the system because, otherwise, it will be impossible to change or delete the names of roles.



This is not a problem when the security system administrator and the developer are the same person, or they work in the same office. However, if they are spread around the world, as in the case of software development company, it is very difficult or even impossible to make changes in the initial module code.

To solve the issue, a set of syntactic constructions that allows you to limit access to code snippets for different groups of users is necessary. This set should meet the following requirements:
  • • Ensure the independence of the module developer from the security system administrator in defining the user groups with limited access to the code snippets module.
  • • Have a mechanism for the export of a set of user groups involved in the system of restrictions for a specific module. This allows the administrator of the security and it support and services system of the Web site to match the existing set of roles with the system of restrictions for a specific module.
  • • Have a unique namespace for a specific module of the content management system of the Web site.
  • • Have backward compatibility with the existing role model for authorization.
  • • Ensure an opportunity for a declarative programming style.
In the next blog post, a solution where the permission-based model is used will be presented.


Related Posts:
Top Healthcare Technology Trends To Follow in 2020
Top ideas that will help you to reduce costs after COVID-19
The Lifehacks You Need to Process Payments With Your Phone
Top 10 List of Prank Apps from JatApp
14 июля 2021 12:59 [ON MODERATION]
Cool
14 июля 2021 12:58 [ON MODERATION]
Cool! Congratulations