Help with Enterprise Library 5.0 Security Block

Topics: Building and extending application blocks, Caching Application Block , Security Application Block
Jun 12, 2012 at 9:43 AM
Edited Jun 12, 2012 at 9:48 AM

Hi All,

 

We're at the verge of implementing EL 5.0 Security Block for Authorization. We intend to create a common centralized authorization provider leveraging the security block and make authentication/authorization calls to this from all the tiers (Web/App).

 

Can someone throw more light on proven best practices of isolating the security block and wrapping it up and exposing it as a service using WCF? What are the pros & cons and implications of doing so? The main intent here is to make the authentication / authorization calls better scalable and do not want to introduce a performance overhead to the application due to the service calls.

 

Also any other robust common best practices will help.

 

Web Layer - SharePoint 2010, ASP.NET, Silverlight, Prism

App Layer - WCF

 

Thanks.

Jun 21, 2012 at 2:19 PM
Edited Jun 21, 2012 at 2:23 PM

Security component is application infrastructure, similar as logging, exception handling. So not necessarily to have a WCF service for handling the security issue.

1) using web service may have performance problem in some cases, 

2) if your application is not service provider, then no need for web service/wcf

There is a very good article from Microsoft talking about architecture performance:

 <<Design Guidelines for Application Performance>>

http://msdn.microsoft.com/en-us/library/ff647801.aspx

which highlights:

   (1) Put the processing closer to the resources it needs.

   (2) Stay in the Same Process

   (3) Do Not Remote Application Logic Unless You Need To

3) create a SecurityManager class to wrap the security application block, the interface looks like

     bool Autohrize(IPrincipal principal,string rule)

    {

         call the security block method

         IAuthorizationProvider ruleProvider = AuthorizationFactory.GetAuthorizationProvider("RuleProvider");

    // Determine whether user is authorized for the rule.
    return ruleProvider.Authorize(principal, rule); 

    }

4) for asp.net MVC application , create a custom filter named RuleAuthorize to call the security manager to do security check. and name the rule from business understanding, E.G. good rules are like

  CanViewSalesRecord, CanEditCustomerCreditCardInfo,...

 like [RuleAuthorize("CanViewProdcut")] 

The SecurityManager can be used at page/controller/page control level, so you can set single UI control's visibility based on specific rule.

5) you can do similar for asp.net

6) about how to store rules in sql server and how to use the block in a good way, please refer to below link.

  http://code.msdn.microsoft.com/windowsdesktop/Extending-the-EnSecurity-f1c44f95#content

Hope this can help.

Yiqian