Security Application Block - only for Web applications?

Topics: Security Application Block
Sep 8, 2007 at 12:47 PM
Edited Sep 8, 2007 at 1:41 PM
When I read the fine print on the Security Application Block last time, I came to the shocking conclusion that it could only be used in web apps. Is this still the case?
Alarm bells start ringing very strongly as the documentation doesn't actually tell me, but every single "Related Title" points to a discussion that uses ASP.NET exclusively,

There's also stuff like this in the examples:
Authenticate the user. The following code demonstrates how to authenticate a user using the System.Web.Security.Membership class.

Can anyone save me the trouble and spill the beans on this in a discussion?
Sep 10, 2007 at 1:10 PM

The ASP.NET Membership and Role services are used, but they are not necessarily used in an ASP.NET application. You can take a look at the Security Block quickstart, which shows how to use these features in a WinForms application.

Here's a related post from Tom I doesn't address your core concern, but it does provide some information.

Hope this helps,
Sep 11, 2007 at 4:13 AM
Edited Sep 11, 2007 at 9:24 AM
Thanks for your answer Fernando

But while you said the SecurityQuickStart shows how to use these features in a WinForms application - I'm afraid this is not true.

I've downloaded the Enterprise Library 3.1 and am right now, looking at the SecurityQuickStart.
When I press F5 to take a look ... I get an error message that reads something like this:

This QuickStart requires a database configured with ASP.NET services schema....
And if I delete the reference to System.Web in the SecurityQuickStart project, the whole thing doesn't compile.

Now can I ask again, does the Security Application Block work without ASP and/or have any working demos that don't require ASP.NET?

I'm interested in adding some simple security to my SmartClient application. But it looks like the Security Application Block should be called ASP.NET Security Block.

I can see that the Security Application Block project doesn't reference System.Web (as it did last time) but it may still rely on information that only an ASP application can provide. Being restricted to web apps was not revealed in the last Security Application Block I checked (confusingly and frustratingly), so I hope someone can please clarify this to save myself and others a load of time.
Sep 11, 2007 at 1:44 PM
Edited Sep 11, 2007 at 1:45 PM

I don't see how my original statement is not true... The quick start is a WinForms application and does use the ASP.NET Membership and Role services. These services are part of the System.Web assembly, so obviously removing a reference to this assembly will prevent the code from building (as would any other project with a missing reference), and their implementation requires a database schema to store information (just like many other services do).

The Security Application Block implements certain security features (e.g. authorization and security caching), leaving Role and Membership management to the ASP.NET implementations which are not part of the block. I agree that the ASP.NET services were built with ASP.NET web applications as their primary target, but they can be used in other scenarios and that's the purpose of the quick start. Also, the assemblies and tools involved (like aspnet_regsql.exe used to register the required schemas) are part of the .net 2.0 redistributable package.

I don't understand what you mean by "relying on information that only an ASP application can provide". Again, the quickstart is a WinForms application using the services from the ASP.NET.

Here's a post with a related discussion

Sep 12, 2007 at 1:04 AM
Edited Sep 12, 2007 at 4:56 AM
By saying relying on information that only an ASP application can provide - I mean can I use the Security Applicatiln Block without any references to ASP.NET or System.Web?

I don't understand why the Security Application Block seems to require functionality found only in System.Web.

So, my confusion is this:
  • I 'm building a non-Web, Smartclient WinForms application.
  • I look at the Security Application Block and I see references to System.Web and ASP.NET.
  • With those dependencies, I see a problem in using this Application Block with a non-ASP, non-Web application.

Surely this is a fundamental question that needs to be answered by anyone thinking about using this application block for a non-web application.

But given your related discussion link, it looks like it's just because System.Web is a poorly organised, badly named assembly that is causing the confusion.
Sep 12, 2007 at 1:10 PM

Let me clarify something. The Security Application Block does not have any dependency on System.Web for its implementation of two security services (authorization and security cache). The Security Application Block Quick Start shows how to use these services and the security related services from System.Web (Role and Membership) that happen to be useable from WinForms applications.

The Security Application Block did have implementations of services similar to Role and Membership before the January 2006 release, but those implementations were removed when the .NET platform provided implementations with the release of the .NET 2.0 version. The post from Tom I posted above mentions this situation. Because of this, the Quick Start has a prominent banner with this text: "Note: Much of the functionality demonstrated by this QuickStart was implemented in previous versions of Enterprise Library, but the same functionality is now provided directly by the .NET Framework. This functionality is still demonstrated in the QuickStart to provide migration guidance for users of previous versions of Enterprise Library."

I agree that you have a valid concern that must be addressed, and the documentation doesn't seem to state explicitly the fact that services from the System.Web assembly can be used from WinForms apps. I hope it is clarified now.