Jun 21, 2012 at 1:19 PM
Edited Jun 21, 2012 at 1:23 PM
Security component is application infrastructure, similar as logging, exception handling. So not necessarily to have a WCF service for handling the security issue.
1) using web service may have performance problem in some cases,
2) if your application is not service provider, then no need for web service/wcf
There is a very good article from Microsoft talking about architecture performance:
<<Design Guidelines for Application Performance>>
(1) Put the processing closer to the resources it needs.
(2) Stay in the Same Process
(3) Do Not Remote Application Logic Unless You Need To
3) create a SecurityManager class to wrap the security application block, the interface looks like
bool Autohrize(IPrincipal principal,string rule)
call the security block method
IAuthorizationProvider ruleProvider = AuthorizationFactory.GetAuthorizationProvider("RuleProvider");
// Determine whether user is authorized for the rule.
return ruleProvider.Authorize(principal, rule);
4) for asp.net MVC application , create a custom filter named RuleAuthorize to call the security manager to do security check. and name the rule from business understanding, E.G. good rules are like
The SecurityManager can be used at page/controller/page control level, so you can set single UI control's visibility based on specific rule.
5) you can do similar for asp.net
6) about how to store rules in sql server and how to use the block in a good way, please refer to below link.
Hope this can help.