none
What kind of security options are available in Astoria? RRS feed

  • Question

  •  

    Hi all,

     

    What kind of security options are available to restrict data access in Astoria?

     

    Can Astoria be used for updating data or is it only for accessing data?

     

    Thank You,

    Vish

    Tuesday, August 14, 2007 2:02 PM

Answers

  • What kind of security options are available to restrict data access in Astoria?

    >>> An excerpt from: http://astoria.mslivelabs.com/UsingMicrosoftCodenameAstoria.doc

     

    For this CTP release, Astoria data services use a very simple authorization model.

    By default, all entity-sets are visible and read-write. This is a temporary setting that is helpful to learn the technology. As the technology moves into more mature stages, more restrictive defaults will be used.

    The authorization model in this Astoria CTP only distinguishes between two states: authenticated or non-authenticated.

    Policies for authorization can enable or disable visibility and updatability on each of the entity-sets. These policies are setup during service initialization. If you want to customize these policies you will need to add a public static (shared in Visual Basic) method called "InitializeDataService" to the data service class. That method takes a WebDataServiceConfiguration parameter that has methods to add policies and set default policies. The example below shows how to create the initialization method, set default policies (read-only for non-authenticated users in the example) and add specific policies (require authentication even to see Sales Orders in the example).

    public class Northwind : WebDataService<NorthwindEntities>

    {

        public static void InitializeDataService(

                                   WebDataServiceConfiguration config) {

            config.DefaultEntitySetUpdatability =

                                   AuthorizationScope.Authenticated;

            config.DefaultEntitySetVisibility =

                                   AuthorizationScope.Anonymous;

            config.AddAuthorizationRule("Orders",

                                        AuthorizationScope.Authenticated,

                                        AuthorizationScope.Authenticated);

        }

    }

    Example 33: Initialize the data service authorization policies with custom defaults and extra authorization rules

    NOTE: this authorization scheme is clearly too simplistic for most real application needs. As we gather feedback on the appropriate authorization model we will incorporate it into future versions of the product.

     

    Can Astoria be used for updating data or is it only for accessing data?

    >>> Astoria can be used to perform the full range of CRUD operations on data .

    HTTP Verb = Action

    POST = insert

    PUT = update

    GET = retreive

    DELETE = delete

     

     

     

     

     

    Tuesday, August 14, 2007 4:03 PM