Microsoft KB Archive/829021

= INFO: Microsoft Guide for Designing Application-Managed Authorization =

Article ID: 829021

Article Last Modified on 4/19/2007

-

APPLIES TO


 * Microsoft .NET Framework 1.1
 * Microsoft .NET Framework 1.0

-



SUMMARY
This article contains information about the Microsoft guide Designing Application-Managed Authorization. This guide provides guidelines for how to design and code application-managed authorization for single-tier or multi-tier applications that are based the on Microsoft .NET Framework.

This guide focuses on common authorization tasks and scenarios. It also provides information that helps you to choose the best approaches and techniques for authorization. This guide is intended for architects and developers.

This guide assumes that readers have a basic knowledge of topics such as Microsoft Windows authentication and authorization, XML Web services, and .NET Framework remoting. For more information about how to design distributed .NET Framework-based applications, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn2.microsoft.com/en-us/library/ms954595.aspx

For more information about how to design distributed applications that include security features, visit the following MSDN Web site:

http://msdn2.microsoft.com/en-us/library/aa302415.aspx

For more general design guidance, visit the following Microsoft Web site:

http://msdn.microsoft.com/architecture



MORE INFORMATION
This guide includes the following chapters:  Introduction

This chapter introduces you to the guide and summarizes the chapters that it contains. In a typical enterprise application, you must perform different types of authorization at each tier in the application. This chapter highlights some of the important authorization issues in each tier of an enterprise application. Understanding Authorization

Authorization is a confirmation that an authenticated principal -- a user, a computer, a network device, or an assembly -- has permission to perform an operation. Authorization helps you allow only authorized users to perform certain actions. It also helps you prevent malicious acts. This chapter describes the following concepts:  The protection that authorization provides Basic authorization The authorization capabilities of the .NET Framework  Designing Authentication for Authorization

Authorization depends on authentication -- that is, a user or a process must be authenticated before it can be authorized to view or to use specified resources. This chapter examines the following two authentication mechanisms, and also explains how each affects authorization:  Performing authorization based on Windows authentication</li> Performing authorization based on non-Windows authentication</li></ul> </li> Designing Identity Flow for Authorization

Authentication creates an IIdentity object and an IPrincipal object for authorization purposes, and determines how you can programmatically pass identity information to application logic that is remotely deployed. The propagation of an authenticated identity is known as identity flow. This chapter describes the following two ways to achieve identity flow:  Automatic identity flow</li> Manual identity flow</li></ul> </li> Performing Authorization in an Enterprise Application

Most recent applications benefit from a multi-tier design because multiple tiers provide scalability, flexibility, and performance enhancements. Although the purpose of authorization is essentially the same in each of the application tiers -- that is, to control user access to functionality and data -- you design and implement authorization differently across the tiers. This chapter discusses how to perform authorization in the following three tiers of an enterprise application:  User interface tier</li> Business tier</li> Data tier</li></ul> </li> Creating Authorization Code with .NET Role-Based Security

This chapter discusses how to write code to perform authorization by using .NET Framework role-based security. You can use role-based security to perform authorization for a whole group of users instead of for a particular user.

You must consider the following:  Performing authorization checks

There are several programming techniques to perform authorization checks by using .NET Framework role-based security. You must decide what technique you want to use, depending on the requirements of your application.</li> Separating business logic and authorization logic

Microsoft recommends that you have a strategy to separate your business logic and your authorization logic.</li> <li>Handling authorization errors

You must decide how to handle authorization errors. Authorization errors not only affect your component code, they also affect any code that calls your component.</li> <li>Performing authorization with multiple threads

If your application uses multithreading, you must decide how best to associate an IPrincipal object with each thread. There are several options, depending on how you want to handle role-based authorization in a multithreaded application.</li> <li>Extending the default implementation

In some situations, it may be best to extend the default implementation that classes and interfaces in the .NET Framework class library provide.</li></ul> </li> <li>Reusing Authorization Implementations

You may be able to reuse your application authorization framework across multiple applications if you consider reuse when you design the framework. Typically, reuse involves the code and the infrastructure that are used to implement authorization capabilities.

The benefits of reusing your application authorization framework include the following: <ul> <li>Developers in your organization can target one application authorization framework.</li> <li>You can easily reuse components that use the application authorization framework in other applications because they use a standard authorization approach.</li> <li>The authorization subsystem becomes a focal point for synchronization with other computer systems or other operating systems. When you reuse your application authorization framework, you do not have to synchronize authorization details from previous applications to new applications that require authorization data.</li> <li>Authorization management is consistent across applications and makes the experience consistent for administration and operations personnel.</li></ul>

This chapter includes some best practices for reusing authorization implementations.</li> <li>Appendix

This appendix includes the following topics: <ul> <li>How to Enable Authorization in a .NET Remoting Component</li> <li>How to Perform Authorization in an XML Web Service</li> <li>How to Create an Authorization Custom Exception Type</li> <li>How to Change the Principal in an ASP.NET Application</li> <li>How to Build a GenericPrincipal Using SQL Server</li> <li>How to Use System.EnterpriseServices COM+ Role-Based Security</li></ul> </li></ul>

<div class="references_section">