Mar 6, 2007 at 9:03 AM
Edited Mar 6, 2007 at 9:03 AM
I am currently designing an application to manage Contacts, Companies, Products, Product Categories, etc. The application is accessible from a Windows client (back-office in multiple international locations) and a Web client (front-office for online reservations)
by using WCF as the communication medium between the clients and the server.
It must use username/passwords stored in a database AND in Active Directory.
We need to implement authorization features such as :
- User is authorized to manage (CRUD) all products
- User is authorized to manage products of category "Cars" only
- User is authorized to read products of category "Cars" only
- User is authorized to edit his personal profile
As I need special authorization on methods and on resources (Ex: user is only manager of products inside the "Cars" category), what kind of mechanism should I use ? Can EntLib 2.0 Security Block work in that scenario ? (I can't use 3.0 because I need to release
the application very soon)
I saw that scopes could match what I need, but they seem to be quite "static", whereas product categories may be created every day. Is it possible to "inject" some kind of application context in the authorization checks ? Also, I haven't found any good tutorial
Can someone help me getting started for this particular scenario ? Thanks in advance :-)