Authorization on categories RRS feed

  • Question

  • Hi,

    I am currently designing an application to manage Contacts, Companies, Products, Product Categories, etc. The application is accessible from a Windows client (back-office in multiple international locations) and a Web client (front-office for online reservations) by using WCF as the communication medium between the clients and the server.

    It must use username/passwords stored in a database AND in Active Directory.

    We need to implement authorization features such as :
    - User is authorized to manage (CRUD) all products
    - User is authotrized to manage products of category "Cars" only 

    1. Authentication

    The good option seems to be using a STS with WCF : I would have a STS that issues tokens when clients send their username/password. Later the clients can use this token to authenticate on the Business services. I could be particularly useful since we want later to open part of the Business services to partners.

    What do you think of that idea ?

    2. Authorization

    As I need special authorization on methods and on resources (Ex: user is only manager of products inside the "Cars" category), what kind of mechanism should I use ? Can EntLib Security Block work in that scenario ? If so, can someone help me getting started for this particular scenario ?

    Thanks in advance :-)


    Tuesday, February 27, 2007 1:42 PM

All replies