Security for Client/Server apps

Topics: Security Application Block
Apr 13, 2007 at 9:34 AM
Hi. I have previously used the security application block in an n-tier environment and in this scenario permissions can be configured on the server in text format. In this model permissions can be modified without recompilation and the configuration is secure from users.

I am now working on a client/server WinForms app and I wondered what the recommended implementation is. The three obvious implementations are to compile security configuration into the application, to store the configuration in the database, or to implement a server-based service against which permissions can be checked. I'm sure the pros and cons of each have been debated in depth.

Any pointers appreciated

kh
Apr 16, 2007 at 10:14 PM
Are you going to rely on an existing authorization store already present in the deployment environment or must you build and deploy the authorization store as part of your application?

For example, can you rely on an existing LDAP directory such as Active Directory or Active Directory Application Mode?
Apr 17, 2007 at 6:32 AM
Yes, we have Active Directory groups which we can leverage to establish user membership application "roles". We just need a mechanism for checking role permissions for certain actions within the application.
Apr 17, 2007 at 3:26 PM
Edited Apr 17, 2007 at 3:27 PM
I would recommend using the Security Applicaiton block with an Authorization Manager (AzMan) provider. This provider can use Active Directory or ADAM as the authorization store. It can map Active Directory security groups into "application groups" and should provide the fine-grained authorization you are looking for in your application.