Enterprise Security Best Practices

Topics: Security Application Block
Feb 6, 2007 at 3:59 PM
I am designing an enterprise appplication for my company and I am looking to use as many best practices and patterns as I can to help me a long the way. I need to build user security/management into my framework and I am wondering what the best solution out there is. I can design the entire thing from scratch and implement users/roles/etc, but I think I would be missing the point on the patterns/best practices side of things. I have looked into the System.Web.Membership stuff for ASP.Net 2.0 but it is too focused on just Web security.

Can anyone help me or point me in the right direction here? Am I missing something about the ASP.Net security that would actually make it the best route for me to take? I need the essentials, Users and Groups that can be assigned specific actions, and then I can check those actions at runtime to see if users have permission to do specific things.
Feb 8, 2007 at 4:31 PM
The profile and role management sections of the Security Application Block were removed in favor of the new role and profile functionality in the .NET Framework. Although the new providers are in the web related namespaces you can easily use them in winform applications if that is what you are building. I believe using them is the proven practice, which is why the functionality was pulled from the Security Application Block.

There are quickstarts with Enterprise Library that can get you up to speed on the security block, but I think your best bet is looking at the Software Factories. They not only help you build applications, but they also come with:

1) Reference implementations which show you a bit more real-world use of the blocks
2) Help files that discuss a lot of the proven practices
3) Built-in functionality like logging, exception handling, and security

I have plenty of experience with the Web Client and Web Service Software Factories and they are top notch. I don't know much about the Smart Client and Mobile Client Software Factories, but my guess is that they are just as good.

Here are some links:

Smart Client and Mobile Client: http://www.codeplex.com/smartclient
Web Client: http://www.codeplex.com/websf
Web Service: http://www.codeplex.com/servicefactory




David Hayden
Microsoft MVP C#
Feb 8, 2007 at 10:06 PM
If i were to use the Security application block can you help me realize how I can add "feature" settings that can be applied to specific users and then have the ability to see if users can perform those functions?

Hope that made sense, I havent seen how to easily do that using system.web.security