 |
ASP.NET 2.0 Security Features in the WCSF v2.0
This screencast walks you through the WCSF Reference Implementation to show off the ASP.NET security architecture and features in the Composite Web Application Block as well as the custom membership and role providers provided in the sample application.
The screencast highlights:
- The EnterpriseLibraryAuthorizationService using the Security Application Block.
- The AuthorizationRulesServices built into the Composite Web Application Block.
- The WebClientAuthorizationModule HTTP Module.
- Customer Membership and Role Providers.
- Integration of the SiteMapBuilderService with user permission sensitivity.
Download ( 70MB, 20min AVI File ) |
ASP.NET 2.0 Security Features in the WCSF v2.0
The Composite Web Application Block in the Web Client Software Factory has an AuthorizationService, AuthorizationRulesService, WebClientAuthorizationModule, and SiteMapBuilderService that work together to provide URL-based security based on user permissions. This screencast walks you through the WCSF Reference Implementation to show off the ASP.NET security architecture and features as well as the custom membership and role providers provided in the sample. Although focused on WCSF, the ASP.NET Security Features shown can be added and applied to any website.
The AuthorizationService used by the Composite Web Application Block is pluggable. The default AuthorizationService used by the CWAB is an EnterpriseLibraryAuthorizationService that uses the Security Application Block in Enterprise Library. Authorization Rules are stored in the application's main web.config file and look like:
<rules>
<add expression="R:Approver" name="AllowApprovals"/>
<add expression="R:User" name="AllowAutocomplete"/>
<add expression="R:User" name="AllowCreateOrders"/>
<add expression="R:User" name="AllowBrowseOrders"/>
<add expression="R:User" name="AllowSearchCustomers"/>
</rules>
The AuthorizationRulesService is built into the Composite Web Application Block and maps URL's to permissions. These rules are loaded during application startup and can be found in each Business Module's Web.config file throughout the website:
<authorization>
<rule Url="~/Orders/OrderEntry.aspx" Rule="AllowCreateOrders" />
<rule Url="~/Orders/MySavedDrafts.aspx" Rule="AllowCreateOrders" />
<rule Url="~/Orders/MyApprovals.aspx" Rule="AllowApprovals" />
<rule Url="~/Orders/SearchOrders.aspx" Rule="AllowBrowseOrders"/>
</authorization>
The WebClientAuthorizationModule ( HttpModule ) uses input from the AuthorizationService and AuthorizationRulesService to allow or deny users access to web pages. Although the expressions that can be used with the Security Application Block in Enterprise Library are flexible, the WCSF Reference Implementation shows off role-based security using a custom membership and role provider to provide authentication and role information.
The SiteMapBuilderService provides an overload for adding nodes that can take a permission, like "AllowBrowseOrders". Based on the user's credentials, sitemap nodes and menu options are displayed or not displayed depending if he/she has the proper permissions.
All of these ASP.NET security features and services working together provide an elegant authentication and authorization architecture for your ASP.NET 2.0 Websites.
I hope you enjoy the screencast.