Security in business layer RRS feed

  • Question

  • User-94466089 posted

    If I have an ASP.NET MVC application using a business layer to validate data before saving it to a database, should I then have the security checks (i.e. who has permission to save) in the business layer or in the ASP.NET application? I can set Authorize-attributes on the controller actions but should I also in business layer check that the user has the right permissions?

    public bool SaveSomething(Object o)
    //Check authorization??

    If doing so, I guess I have to make an extra roundtrip to the database...?

    Monday, December 20, 2010 4:48 AM

All replies

  • User197322208 posted

    in the business layer is where you should do.

    You can add later in other layers(GUI) for fastening the application.

    Monday, December 20, 2010 5:31 AM
  • User712082397 posted

    Yes, you must do it in business layer. That's the layer that is defining all rules for your application.

    Monday, December 20, 2010 10:27 AM
  • User-94466089 posted

    How would the application get faster if I still have to do the validation in the businesslayer? Also, how do I make use of the MembershipProvider used in the web application in the business layer? I want the business layer to work regardless of there is an asp.net or a WPF application as UI so I guess I can't call HttpContext.Current.User from the BL?

    Monday, December 20, 2010 11:45 AM
  • User-952121411 posted

    I want the business layer to work regardless of there is an asp.net or a WPF application as UI so I guess I can't call HttpContext.Current.User from the BL?

    No but all 'HttpContext.Current.User' does is return an object that implements System.Security.Principal.IPrincipal which you could pass down through the layers and remain application type agnostic.

    Monday, December 20, 2010 2:49 PM
  • User-94466089 posted

    Don't really see how you mean..What code should I call in the BL to find out which user is currently making a request no matter if the request comes from a web application or a WPF application? 

    Tuesday, December 21, 2010 6:28 AM
  • User-952121411 posted

    You might not have a method identical to this because you probably wouldn't pass the type directly in (might be a property or security object of its own), but it shows you how you can use the code:

        Public Sub DoSomething(ByVal MyValue1 As String, ByVal UserContext As System.Security.Principal.IPrincipal)
            'Sample code...
            If UserContext.Identity.IsAuthenticated Then
                If UserContext.Identity.Name = "SuperDuperAdmin" Then
                End If
            End If
        End Sub

    ...and sample calling code say in an ASP.NET instance:


    'Pass in the 'HttpContext.Current.User' object which implements the IPrincipal Interface
    DoSomething("Test", HttpContext.Current.User)

    Remember that as long as the security context type implements the IPrincipal interface you will be able to use the type to check security regardless of the application type.  Interfaces don't care about the implementation details, just that the type adheres to the Interface itself.

    Tuesday, December 21, 2010 10:36 AM
  • User-94466089 posted

    This requires me to pass HttpContext.Current.User from the ASP.NET application. I would prefer not to pass anything regarding security at all but to simply do the check in BL. Is this possible? Also, as of now I am setting the objectProviderKey of the MembershipUser to the id of the user once he has logged in. How do I retrieve this value in the Business Layer a scenario like this?

    Tuesday, December 21, 2010 11:02 AM
  • User-1184423958 posted

    PrincipalPermissionAttribute Class allows security actions for PrincipalPermission to be applied to code using declarative security. 

    Could be like this,

    [PrincipalPermission(SecurityAction.Demand, Role = "Administrators")]
    Public void DoSomething1()
    [PrincipalPermission(SecurityAction.Demand, Role = "Users")]
    Public void DoSomething2()


    Wednesday, December 22, 2010 7:05 AM
  • User-94466089 posted

    How are the roles defined? How does it for example check if the current user is in role "Administrators"?

    Thursday, December 23, 2010 4:24 AM
  • Thursday, December 23, 2010 4:40 AM
  • User-94466089 posted

    The link is broken. 

    Thursday, December 23, 2010 8:38 AM
  • User-1184423958 posted

    Here it is, http://msdn.microsoft.com/en-us/library/ms731200.aspx 

    Friday, December 24, 2010 4:19 AM
  • User-94466089 posted

    I guess using PrincipalPermission is basically the same thing as doing this inside the method; if(!Thread.CurrentPrincipal.IsInRole("role")) throw new SecurityException();

    Friday, December 31, 2010 5:21 AM