Intranet

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,
I am developing a local intranet application and will be using Windows authentication
Dot net provides code access security and role-based security I am not very sure how to use them. On the intranet there are links, which a certain group of users can use. How do I implement such a scenario using the security provided by the dot net framework? Can anyone guide on how to implement in dot net

Than
Prasad
 
Hi

The description of your solution does not contain enough details to provide the exact security design of your application. I am going to give you the short overview, but please even if this completely helps you, BE SURE THAT YOU REALY UNDERSTAND WHAT YOU DO

• Assuming that your intranet application I written in ASP.Net or it is ASP Web Service, set the directory security IIS manager on windows authentication. Be sure that anonymous is not checked. This forces the IIS to retrieve an access denied on the first client’s request. The client must be able to authenticate by using NTLM. By using of NTFS you can set wanted permissions

• Then in the web.config of your application set following tags

<authentication mode="Windows" /><identity impersonate="true"/

• If your client is IE browser you do not have to do anything else to be sure that nobody out of specified windows group can access the site

• But, this is often not enough. Additionally you can provide much more granularity by using of CAS if required. The CAS allows you to define the role base security (not only). For example if your solution provides some Web Service you can protect your methods as shown bellow

[ WebMethod(Description="Retrieves the appointment data", EnableSession=false)
[PrincipalPermissionAttribute(SecurityAction.Demand,
Role = "SomeRole")
public void GetServiceAppointment(string ServiceId

â€


Additionally you have to provide a mechanism, which maps the windows user (Windows Identity established by impersonation (see above)) to the specific role
This can be done in Global.Cs in the method Application_AcquireRequestState

String[] roles = somefunctionof(Thread.CurrentPrincipal.Identity.Name
GenericIdentity MyIdentity = new GenericIdentity(Thread.CurrentPrincipal.Identity.Name)
GenericPrincipal MyPrincipal = new GenericPrincipal(MyIdentity, roles)
Thread.CurrentPrincipal = MyPrincipal;

• If you do not use the browser at the client side there are generally two ways to provide credentials
If you can force the user to eneter the user name and password do following
System.Net.ICredentials icred = new System.Net.NetworkCredential(m_User,m_Pwd,m_Domain)

Much better way is to use the currently cached windows credentials
m_ System.Net.ICredentials icred = System.Net.CredentialCache.DefaultCredentials


Sorry if this is not enough, but the security is not something you cannot implement in few minutes. One good solution provides a good security concept. It is not only enough that your application just properly runs. It is also VERY IMPORTANT that your application runs secured. I propose you search for more information in MSDN following keywords

PrincipalPermissionAttribute, impersonation, web.config, NTLM, DefaultCredentials, Credentials â€
 
Back
Top