MORE INFORMATION

This guide includes the following chapters:

• Introduction
  This chapter introduces you to the guide and summarizes the chapters that it contains. In a typical enterprise application, you must perform different types of authorization at each tier in the application. This chapter highlights some of the important authorization issues in each tier of an enterprise application.
• Understanding Authorization
  Authorization is a confirmation that an authenticated principal -- a user, a computer, a network device, or an assembly -- has permission to perform an operation. Authorization helps you allow only authorized users to perform certain actions. It also helps you prevent malicious acts. This chapter describes the following concepts:
  • The protection that authorization provides
  • Basic authorization
  • The authorization capabilities of the .NET Framework
• Designing Authentication for Authorization
  Authorization depends on authentication -- that is, a user or a process must be authenticated before it can be authorized to view or to use specified resources. This chapter examines the following two authentication mechanisms, and also explains how each affects authorization:
  • Performing authorization based on Windows authentication
  • Performing authorization based on non-Windows authentication
• Designing Identity Flow for Authorization
  Authentication creates an IIdentity object and an IPrincipal object for authorization purposes, and determines how you can programmatically pass identity information to application logic that is remotely deployed. The propagation of an authenticated identity is known as identity flow. This chapter describes the following two ways to achieve identity flow:
  • Automatic identity flow
  • Manual identity flow
• Performing Authorization in an Enterprise Application
  Most recent applications benefit from a multi-tier design because multiple tiers provide scalability, flexibility, and performance enhancements. Although the purpose of authorization is essentially the same in each of the application tiers -- that is, to control user access to functionality and data -- you design and implement authorization differently across the tiers. This chapter discusses how to perform authorization in the following three tiers of an enterprise application:
  • User interface tier
  • Business tier
  • Data tier
• Creating Authorization Code with .NET Role-Based Security
  This chapter discusses how to write code to perform authorization by using .NET Framework role-based security. You can use role-based security to perform authorization for a whole group of users instead of for a particular user.
  
  You must consider the following:
  • Performing authorization checks
    There are several programming techniques to perform authorization checks by using .NET Framework role-based security. You must decide what technique you want to use, depending on the requirements of your application.
  • Separating business logic and authorization logic
    Microsoft recommends that you have a strategy to separate your business logic and your authorization logic.
  • Handling authorization errors
    You must decide how to handle authorization errors. Authorization errors not only affect your component code, they also affect any code that calls your component.
  • Performing authorization with multiple threads
    If your application uses multithreading, you must decide how best to associate an IPrincipal object with each thread. There are several options, depending on how you want to handle role-based authorization in a multithreaded application.
  • Extending the default implementation
    In some situations, it may be best to extend the default implementation that classes and interfaces in the .NET Framework class library provide.
• Reusing Authorization Implementations
  You may be able to reuse your application authorization framework across multiple applications if you consider reuse when you design the framework. Typically, reuse involves the code and the infrastructure that are used to implement authorization capabilities.
  
  The benefits of reusing your application authorization framework include the following:
  • Developers in your organization can target one application authorization framework.
  • You can easily reuse components that use the application authorization framework in other applications because they use a standard authorization approach.
  • The authorization subsystem becomes a focal point for synchronization with other computer systems or other operating systems. When you reuse your application authorization framework, you do not have to synchronize authorization details from previous applications to new applications that require authorization data.
  • Authorization management is consistent across applications and makes the experience consistent for administration and operations personnel.
  This chapter includes some best practices for reusing authorization implementations.
• Appendix
  This appendix includes the following topics:
  • How to Enable Authorization in a .NET Remoting Component
  • How to Perform Authorization in an XML Web Service
  • How to Create an Authorization Custom Exception Type
  • How to Change the Principal in an ASP.NET Application
  • How to Build a GenericPrincipal Using SQL Server
  • How to Use System.EnterpriseServices COM+ Role-Based Security