Authentication and Authorisation

  • Article

As promised, the first in a series of posts about security relevant to a developer new to .NET (such as a VB6 developer).

These are what most people will immediately think of when security is discussed.

  • Authentication
    This is proving your identity by some means, whether it's knowing your password, having the right swipe card or having your fingerprint checked.
  • Authorisation
    Once a system knows who you are it can apply some rules to decide what you can see or do.

ASP.NET has a huge amount of built-in support for performing authentication and authorisation (a far cry from the situation with ASP) including a full-blown membership system that simplifies creating a web site that requires registration before you can access certain areas of the site.

Authentication and authorisation have tended to be less significant when developing desktop based systems because a) it is a more "controlled" environment and b) the desktop OS can be left to handle these issues for you.

A common scenario where you do need to customise things is where a desktop application needs its own authorisation rules (we can still rely on the OS performing the authentication for us, typically against Active Directory). What we want to do in our application is authorise users using Active Directory (or ADAM) - to minimise the development effort here you should look at the Security Application Block.

What (or who) is ADAM, some of you are asking? Simply putĀ  Active Directory Application Mode is a standalone version of Active Directory that you can distribute with your application. Therefore you could have you own authentication database which could also be customised without impacting Active Directory itself.

While I'm on the subject of application blocks, there are a couple of others that relate to security. There's a Cryptography Application Block which I'll talk about in a later post, but for now I wanted to point out the Logging Application Block. This is great if you need to record what's going on in your application for troubleshooting, error reporting, or from the security standpoint, auditing.

Creating log entries from your code is straightforward:

    1:  Dim logEntry As LogEntry = New LogEntry()

    2:  logEntry.EventId = 100

    3:  logEntry.Priority = 2

    4:  logEntry.Message = "User Logon: " + userName

    5:  logEntry.Categories.Add("Audit")

    6:  logEntry.Categories.Add("UI Events")

    7:  Logger.Write(logEntry)

The configuration options of the application block then enable you to control things like where the log messages get written to, and to define filters based on LogEntry fields.

Possible destinations for log messages include: a database, the Windows Event Log, a rolling flat file or an email.