locked
Windows Client Login + User Roles RRS feed

  • Question

  • I am developing a WPF Windows client occasionally connected application (http://msdn.microsoft.com/en-us/library/bb384436.aspx) with SQL Server express on local client laptop syncing to SQL Server standard whenever the laptop has access to the corporate network.

    We want to add a Login Dialog, assign roles to users (in the sql server database) and restrict access to certain areas of the application depending on the roles the user is assigned to.

    What API, dll, etc should I be using to manage login and user roles? Is there example code somewhere of adding this functionality?


    Wednesday, June 8, 2011 4:25 PM

Answers

  • Active directory can do that along with System.Security.Principal.

    Or at least it can do if the you have access to the domain server.

    Not so sure you're going to be able to do isinrole if you can't get at that.

    I'm inclined to think it won't suit you.

    http://www.codeproject.com/KB/miscctrl/Application_Login.aspx

     

    Failing that then you could use the asp.net membership provider ( and yes I know this is WPF and I'm not kidding ).

    You can store the membership info on any sql server database and sync any sql server tables so you can copy your security structure onto laptops.

    There's a shed load of articles about using the asp.net membership system which you can google.

    You'll be mainly wanting those discussing using it in windows.

    Obviously, dragging the standard asp.net login control onto a web page ain't going to be how your front end will work.

    http://www.google.co.uk/search?q=asp.net+membership+winforms&sourceid=ie7&rls=com.microsoft:en-gb:IE-Address&ie=&oe=&redir_esc=&ei=trHvTeOiGIbMhAeciKnCCQ

     

    • Proposed as answer by Sheldon _Xiao Sunday, June 12, 2011 8:00 AM
    • Marked as answer by GaryBarrett Sunday, June 12, 2011 11:09 AM
    Wednesday, June 8, 2011 5:33 PM
  • I'm pretty sure roles (groups) won't be cached.

    So relying on active directory is only suitable if you're happy with a default role when the user is out the office.

     

    You could of course insist that they first use the application in the office and when the app starts it checks roles and stores them in the local database.

    A bit of encryption would be necessary.

    Then you could write something does isinrole when the user is in the office.

    Maybe insisting on a connection for some particularly sensitive activities.

    If there's no connection, check the list of roles stored in the local database last time.

    Don't just rely on windows security on the local database.

    I particularly like Active directory and groups based security.  There is usually someone whose job it is maintaining logins and they already have the tools and knowledge to do so.

     

    If that's no good to you then use asp.net membership provider.

     

    I think it's highly unlikely there exists any definition of use this in whatever case. 

     

    One more thought.

    SQL CE 4 is now a filecopy install and you might want to consider that instead of express on the client.

    Depending on how much data you have etc etc.

    • Proposed as answer by Sheldon _Xiao Sunday, June 12, 2011 8:00 AM
    • Marked as answer by GaryBarrett Sunday, June 12, 2011 11:09 AM
    Thursday, June 9, 2011 7:17 PM

All replies

  • Active directory can do that along with System.Security.Principal.

    Or at least it can do if the you have access to the domain server.

    Not so sure you're going to be able to do isinrole if you can't get at that.

    I'm inclined to think it won't suit you.

    http://www.codeproject.com/KB/miscctrl/Application_Login.aspx

     

    Failing that then you could use the asp.net membership provider ( and yes I know this is WPF and I'm not kidding ).

    You can store the membership info on any sql server database and sync any sql server tables so you can copy your security structure onto laptops.

    There's a shed load of articles about using the asp.net membership system which you can google.

    You'll be mainly wanting those discussing using it in windows.

    Obviously, dragging the standard asp.net login control onto a web page ain't going to be how your front end will work.

    http://www.google.co.uk/search?q=asp.net+membership+winforms&sourceid=ie7&rls=com.microsoft:en-gb:IE-Address&ie=&oe=&redir_esc=&ei=trHvTeOiGIbMhAeciKnCCQ

     

    • Proposed as answer by Sheldon _Xiao Sunday, June 12, 2011 8:00 AM
    • Marked as answer by GaryBarrett Sunday, June 12, 2011 11:09 AM
    Wednesday, June 8, 2011 5:33 PM
  • Thanks for the pointers Andy.

    Can Active Directory details be cached to allow isinrole to work in offline scenarios ?

     

    Is there any comparison anywhere of asp.net membership provider vs Active Directory IsInRole ?

    I've struggled to find anything that compares or explains the differences or how the 2 methods fit in the Microsoft stack - use this one in these scanarios, use the other in these other scenarios, etc

    Thursday, June 9, 2011 4:24 PM
  • I'm pretty sure roles (groups) won't be cached.

    So relying on active directory is only suitable if you're happy with a default role when the user is out the office.

     

    You could of course insist that they first use the application in the office and when the app starts it checks roles and stores them in the local database.

    A bit of encryption would be necessary.

    Then you could write something does isinrole when the user is in the office.

    Maybe insisting on a connection for some particularly sensitive activities.

    If there's no connection, check the list of roles stored in the local database last time.

    Don't just rely on windows security on the local database.

    I particularly like Active directory and groups based security.  There is usually someone whose job it is maintaining logins and they already have the tools and knowledge to do so.

     

    If that's no good to you then use asp.net membership provider.

     

    I think it's highly unlikely there exists any definition of use this in whatever case. 

     

    One more thought.

    SQL CE 4 is now a filecopy install and you might want to consider that instead of express on the client.

    Depending on how much data you have etc etc.

    • Proposed as answer by Sheldon _Xiao Sunday, June 12, 2011 8:00 AM
    • Marked as answer by GaryBarrett Sunday, June 12, 2011 11:09 AM
    Thursday, June 9, 2011 7:17 PM
  • Hi GaryBarrett,

    Have you got what you need?

     

    Best regards,


    Sheldon _Xiao[MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Sunday, June 12, 2011 8:01 AM