[Mono-list] how to do proper role based authentication in web apps

Steve Mentzer steve@mudflapsoftware.com
Fri, 4 Jun 2004 21:33:51 -0700

Forms authentication and RBA in ASP.NET is a bit of a sore spot with =20
web developers these days.

The biggest issue with RBA has to do with the ASP.NET lifecycle/event =20=

chain. Typically, developers choose to use the declarative security =20
attributes on their pages. The problem is that these attributes are =20
processed very early in the event chain.

Typically, apps will store role information in a database. Forms =20
authentication combined with RBA requires that you load all security =20
information on every request in the during the 'AuthenticateRequest' =20
event. This event gives you the ability to create a custom IPrincipal =20=

object, containing the roles.

The sore spot is that each page transition requires the runtime to =20
reload all security information for the user from the database =20
again.... Developers traditionally have handled this by caching login =20=

details / security in session state. Unfortunately, session state isn't =20=

loaded until much further in the event chain (AcquireSessionState), but =20=

in the meantime the declarative security attributes are checked, and =20
BANG, you are screwed.

To sum it up, using RBA with FormAuthentication requires that you incur =20=

a huge scalability bottleneck because you have to reload all security =20=

info at runtime.

FWIW - I hate using declarative security attributes on pages, as it is =20=

easier to trap security situations programatically.

As Gonzalo indicated earlier, you CAN write your own handlers to =20
address your needs. If you are looking for some pre-written ASP.NET =20
security code that utilizes FormsAuthentication, cookies, caching, =20
single-sign-on, etc, search for IOD.Security on =20
http://www.gotdotnet.com/community/workspaces/directory.aspx. I wrote =20=

it about 6 months ago, and aside from the use of declarative security =20=

attributes, it is a fairly unobtrusive way to avoid having to write =20
your own security code.

I have used it on several very large sites successfully.

On Jun 4, 2004, at 8:57 PM, Gonzalo Paniagua Javier wrote:

> El vie, 04-06-2004 a las 07:46, DI Mag. Rainer Burgstaller escribi=F3:
>> Hi
>> I have a question on how to properly do RBA in web applications. I am
>> currently using the formsauthentication but it only supports fixed =20=

>> users
>> stored in the web.config file which is pretty inflexible (am I =
>> something)? So what I currently do is to override the
>> Thread.CurrentPrincipal and HttpContext.User by the user which is =20
>> stored
>> in the cookie (which I also create by hand). I do that in the =20
>> global.asax.
>> I checked a few open source projects (omniportal, Rainbow) on how =20
>> they do
>> it but it does not seem like they do it too good either (I dont mean =20=

>> to
>> insult anyone). I am coming from the java side and there JAAS offers =
>> quite elegant way of doing such a thing by using "plugin" =20
>> authentication
>> providers. So I wondered if there is such a possibility or if I could
>> somehow replace the FormsAuthenticationModule by something I do which =
>> then
>> allows authentication agains a db for example.
> See
> http://msdn.microsoft.com/library/default.asp?url=3D/library/en-us/=20
> cpgenref/html/gngrfauthorizationsection.asp
> Mono supports that.
> -Gonzalo
> _______________________________________________
> Mono-list maillist  -  Mono-list@lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-list