Authorization solution for 2-tier C# Winforms app? RRS feed

  • Question

  • I'm building a simple client-server .NET2 app for a customer.  Task- or role-based authorization is needed.  I've just used SQL db roles in earlier apps, but I'd like to use something more modern.  I've looked briefly at AzMan and Enterprise Library, but I'm concerned the overhead of these solutions will adversely impact performance and dev. costs.  Some of the pieces on AzMan seem to suggest it can't be used on XP clients -- is this true?


    I'm interested in hearing recommendations.  The solution should work with client apps running on Windows XP connecting to SQL2005 running on Windows 2000 server.  The AD domain is hosted on WS2003, but the database server cannot be upgraded to WS2003 due to other software requirements.


    What would be a simple but effective solution for authorization in this context?



    Saturday, August 4, 2007 10:06 PM


All replies

  • It is important to notice that you need to keep the SQL db roles. This is due to the fact that you are enabling users to access directly to the db server (even if they don't know). You can relate the db roles to active directory groups, providing administrators a convenient place for configuration.


    If you just want a simple solution on application level (after applying the sql db roles), you can use PrincipalPermissionAttribute and do role checks: If you need an imperative check you can use PrincipalPermission:


    PS remember the approach described is not client-server, since there is none application server. If that were the case, the security could be enforced there.


    Freddy Rios -

    Sunday, August 5, 2007 4:51 AM
  • Thanks for your reply.  I'll look into this further.  I'm tempted to put in a business tier to consolidate db connections and do  security checks, but it starts to overly complicate a 5-user application.  Plus, I haven't done 3-tier in .Net before, and I have bad memories of how painful it was to set up mid-tier COM objects in the '90s.


    Sunday, August 5, 2007 7:38 PM
  • You are right not to over-architect and future proof a simple application. I wouldn't try to get a too fancy security machanism either (unless you have a risk/threat assesment that says you do)

    Monday, August 6, 2007 7:58 AM
  • I do like the idea of having more fine-grained control over task authorization and using that to selectively enable controls on the forms.  I'm considering using NetSQLAzMan (see, e.g. for task-level authorization.  In conjunction with some scheme like code-signing to verify the client software and assigning a session ID to the db connection (to distinguish from someone just opening up a query window), it might work  in a low-threat envt.  Granted, most sp's would have to do a session check on the spid, but it should be workable.  At the last project meeting, they wanted to open the app to several more classes of users, so using db roles alone could get messy.
    Monday, August 6, 2007 5:28 PM