locked
Membership API and Database Access RRS feed

  • Question

  • Okay not sure if this is the right forum... but here goes

    My concern is the use of the membership api.  When configuring it... it needs access to a database...  I'm kinda thinking this is a bad idea as I generally see direct database access by a web server as a security "hole".  Generally I delegate all database access to the app layer (which resides behind a firewall... preferably in a different domain, etc).  Is there a way to configure the membership api to delegate to an object layer (secured)?  I was thinking of using the membership api in my services layer and delegating the auth calls from web to app tier (encrypting data using an x509 cert).  Is this possible or am I going overboard?
    Thursday, July 24, 2008 7:06 PM

Answers

  •  There is a very simple solution use the membership to only manage users and create a Data Access Layer in your web service and manage that access with windows authentication.  This separates the layers and give you the control you want but you need to get a DBA t add all your users Windows account into SQL Server database used by the Web Service.  I told you this in my previous post that is Microsoft recommendation and you can also use encryption.
    Asp.net MVP, MCPD Web C#, MCITP BI & MCTS SQL Server 2005
    • Proposed as answer by edhickey Monday, August 4, 2008 9:31 PM
    • Marked as answer by Documatic Monday, August 4, 2008 10:45 PM
    Friday, July 25, 2008 8:30 PM
    Moderator

All replies

  • (I'm kinda thinking this is a bad idea as I generally see direct database access by a web server as a security "hole".)

    You have got it wrong the Asp.net membership is an application service when you use it with a database the aspnetdb it owns that database, however you have the option to add the whole database to your existing database.


      (I was thinking of using the membership api in my services layer and delegating the auth calls from web to app tier (encrypting data using an x509 cert).)

    You need to do that with the WCF implementation of membership because the default Asp.net implementation does not use certificate for authentication. I actually think you need a profile provider that will control your users access to your application membership just manages the default access to your site.

    http://msdn.microsoft.com/en-us/library/ms998283.aspx

    http://www.asp.net/Downloads/sandbox/table-profile-provider-samples/



    Asp.net MVP, MCPD Web C#, MCITP BI & MCTS SQL Server 2005
    Friday, July 25, 2008 1:52 PM
    Moderator
  •  

    (You have got it wrong the Asp.net membership is an application service when you use it with a database the aspnetdb it owns that database, however you have the option to add the whole database to your existing database.)
    Owning the database doesn't take anything away.  The point is you have data access done by a web server.  Typically the database is behind a couple firewalls removed from the web servers (which typically run in a dmz).  Sure you can have a seperate db for just the membership information as the membership api "ownes" the database.  That doesn't make it necessarily safe.  I agree you should use encryption to protect the connection strings (the articles you reference) at the least.  What I was really getting at is should I just delegate / passthrough to the membership api on my service layer?

    Friday, July 25, 2008 6:19 PM
  • (The point is you have data access done by a web server.)


    That is only true if you put your aspnetdb in your AppData folder which is only recommended for personal web sites in an Enterprise application the Asp.net membership database is just another database running in your company database server.

    You want a complex application service created by a different team the Asp.net team to be managed by WCF team section of your application, then you need to wait for the membership API created by that team because what you have now works in Asp.net.

    However there is custom implementation you inherit from the Asp.net membership and use an existing database that is how most Microsoft packaged software like CRM use membership to manage users. WCF uses Windows authentication easy use use authorization and add your users to SQL Server through Windows group more work but it is not complicated.  I can do it but if you cannot get the DBA to help you.


    Asp.net MVP, MCPD Web C#, MCITP BI & MCTS SQL Server 2005
    Friday, July 25, 2008 7:20 PM
    Moderator
  • You've kinda lost me on this answer... maybe I'm confusing you but...

    If you look at Improving Web Application Security (Introduction has a nice diagram) you can see the ideal is web tier seperated from app tier by firewall and data access is done by app tier.  In the scenario you describe with the membership api I either place the db on my web server (which we all know is not recommended), or I have to open up a tunnel between tiers.  This can be done but I was trying to remove all data access from my web tier entirely.  I think it's possible by creating a custom provider (that would delegate the calls to my services layer).

    You want a complex application service created by a different team the Asp.net team to be managed by WCF team section of your application, then you need to wait for the membership API created by that team because what you have now works in Asp.net.

    I'm really not sure where your going with this.  We already have a membership db created.  In fact we are doing exactly what I see as an issue (our web server accesses our database server where the membership db is located).  What I really want is to move the db behind a firewall (with a services layer) and have the communication done via services.  Thus removing data access from the tier and removing an attack surface.  Alternatively we could just move the db and open a port in the firewall to allow the web server to get to the membership database.  Even though the membership api is more app it still runs on the web server.  Again if we look at the ideal picture our web tier and app tier are seperated not together. 

    Friday, July 25, 2008 7:54 PM
  •  There is a very simple solution use the membership to only manage users and create a Data Access Layer in your web service and manage that access with windows authentication.  This separates the layers and give you the control you want but you need to get a DBA t add all your users Windows account into SQL Server database used by the Web Service.  I told you this in my previous post that is Microsoft recommendation and you can also use encryption.
    Asp.net MVP, MCPD Web C#, MCITP BI & MCTS SQL Server 2005
    • Proposed as answer by edhickey Monday, August 4, 2008 9:31 PM
    • Marked as answer by Documatic Monday, August 4, 2008 10:45 PM
    Friday, July 25, 2008 8:30 PM
    Moderator