Click here to Skip to main content
Click here to Skip to main content

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Nadége Baubant

United States United States
No Biography provided

Comments and Discussions

 

Re use Windows Accounts for Applications Access Control with Visual Guard .Net

, 2 Apr 2009 CPOL
See how to control access to .NET applications reusing Windows accounts for authentication. Integrate with Active Directory and grant roles and permissions to Windows accounts. Define permissions without adding code thanks to .NET reflection mechanism.

Editorial Note

This article is in the Product Showcase section for our sponsors at CodeProject. These reviews are intended to provide you with information on products and services that we consider useful and of value to developers.

Introduction

Controlling Access to corporate applications usually implies:

  • Authentication features, to verify the identity of users entering the applications
  • Permission features, to restrict their access to application data and features

Should you need to reuse Windows Accounts stored in Active Directory for authentication purposes, look no further.
Visual Guard is a comprehensive solution for access control in .NET applications. It combines authentication, permissions and auditing features in the same tool.

This article demonstrates how to reuse Windows accounts to authenticate end-users and adapt the application to user permissions.

What Can Visual Guard .NET do for you?

The screenshots below show the result of an application secured with Visual Guard .Net:

  • The user is automatically authenticated with the current Windows account.
  • The application opens without requesting any user credentials
  • User permissions are automatically enforced

Below are a couple of examples of how the application is changed to comply with user permissions:

Example 1: Hide or disable controls

The screenshots below show an employee form WITHOUT and WITH restrictions enforced by Visual Guard: a field is hidden and a button is disabled.

Example 2: Filter data

You may have to restrict access to sensitive data.
The example below filters a list to hide records that the user should not access.
You can also hide columns or specific fields if needed…

Prerequisite

For this tutorial, you need Microsoft Visual Studio 2008 or Visual Studio 2005 installed. The code samples below are for integration in a winform C# application. Code samples for winform VB.NET or ASP.NET are available here.

Free 30-day trials
are available from the Visual Guard website
.

Step 1: Declaring Windows account in Visual Guard

To do so, you will use the Visual Guard Console (no coding).

Open the Visual Guard Console and log in with the default master administrator account (Username=’Admin’ / Password=’pwd’).
Master administrators have full access to all features. Other roles are available for developers, administrators and auditors who will only perform development, identity management or auditing tasks.

In the console, open Repository=>Users, right click and select “Add Windows User or Group”.

The following dialog box opens:

Select the Windows accounts or groups you want to grant access to your application. In one repository, Visual Guard can manage accounts coming from several domains, as long as they belong to the same forest.

Step 1 is completed, Windows accounts are now declared in Visual Guard Repository.
We will now:

  • Integrate your application with Visual Guard
  • Create a permission to restrict access to your application
  • Grant this permission to a Windows account

Step 2: Integrate Visual Guard in your Application

Integrating Visual Guard into your application is very simple.

  1. Reference Visual Guard assemblies in your project

Open your project in Visual Studio (2005 or 2008) and add the assemblies of Visual Guard as references of your project, as shown below:

  • VisualGuard.Security is the main assembly and is always required.
  • Then you should include the assembly corresponding to your applications type (Winforms, Webforms, WebServices).
  • Finally, you will include the assembly corresponding to your repository (Oracle, SQLServer, File).
  1. Add the following code:

This code will authenticate the user with the current windows accounts and load its permissions for this application.

using System;
using System.Collections.Generic;
using System.Windows.Forms;
using Novalys.VisualGuard.Security;
using Novalys.VisualGuard.Security.WinForm;

namespace ADdemo
{
    static class Program
    {
        /// <summary>
        /// Main 
        Entry point of the application
            /// </summary>
            [STAThread]
            static 
                void Main()
            {

                Application.EnableVisualStyles();
                Application.SetCompatibleTextRenderingDefault(false);

                //Load 
                security
                    VGAuthorizationState 
                    state = VGSecurityManager.LoadSecurity (
                        System.Security.Principal.WindowsIdentity.GetCurrent());
                if 
                    (state.IsFailed)
                {
                    if 
                        (state.IsUserNotFound)
                    {
                        MessageBox.Show("Your 
                            are not declared in the security repository");
                    }
                    else
                    {
                        if 
                            (state.IsUserNotAuthorized)
                        {
                            MessageBox.Show("Your 
                                are not authorized to log on to this application");
                        }
                    }
                }
                else
                {
                    Application.Run(new Form1());
                }
            }
    }
}
  1. Create a repository and declare your application

In Visual Guard Console, open the menu [File - Add repository] and follow the wizard instructions. Select “create a new empty repository”, then choose “File” as repository type, indicate the name and location for the new file repository, and make sure you select Windows authentication mode.

Visual Guard is now integrated with your application, and your application has been declared in the repository.

You will find a similar example for ASP.NET applications here

Step 3: Define a permission and grant it to a Windows Account

Here is how it works:



A user is granted a role.
A role contains a permission set.
A permission set contains permissions.
A permission contains technical actions.


By default, permissions are hard-coded in the application.

This possibility still exists with Visual Guard. However, the tool offers an interesting alternative, based on the .NET reflection mechanism.

You can declare permissions within Visual Guard (instead of writing code in the application), and Visual Guard will apply them dynamically at runtime. Bottom line, security rules are separated from the application code and can evolve without accessing this code. You can add or modify permissions, grant permissions to roles and grant roles to users at runtime. No need to rebuild your application when maintaining security!

Most Visual Guard permissions consist in changing object properties to restrict user access (disabling or hiding controls, filtering grids…). More complex permissions are also available to cover specific needs (using values from the database, relying on conditions…).

Let’s make an example:
Right click on ‘permissions’, select ‘new permission’, and name it ‘hide employee address’.

Right click on this new permission and select “new property action” (meaning that you will define an action that will change a property in your application).

VG permission editor opens. This wizard will let you define:

  1. When to execute this action (on which event, under which condition)
  2. Which object.control.properties you want to change
  3. Which value should take these properties

As mentioned before, this is just a declaration stored in VG repository, you will not write code in your application.

  1. Select the object modified by this action.

At this point, Visual Guard lists all the objects in your application, using .NET reflection. You can then select the object ‘Employee’ to modify it.

  1. Define when to execute this action.

By default, the action will be executed just after Visual Guard loads the Security. You can execute the action when any event is triggered in the application, as well as define a condition for this action to be executed

  1. Select the controls and properties you want to modify, select the property you want to modify and change its value.

For example, in our case we will decide to hide the address and birth date field:

In the permission editor:

  • Select all corresponding fields at the same time
  • Select the ‘visible’ property
  • Select ‘false’ as the value for this property
  • Click the ‘Finish’ button.

The permission is now defined; you still have to grant this permission to users.

Therefore, you should:

  • Include this new permission in a permission set (drag & drop)
  • Grant this permission set to a role (drag & drop).
  • Grant this role to user accounts (username/right click/Edit role list).

Now if we open the application from the current Windows session, the address fields of the employee have been dynamically hidden.

If you want to see more about Visual Guard .NET visit www.visual-guard.com:

-- There are no messages in this forum --
| Advertise | Privacy | Mobile
Web02 | 2.8.141015.1 | Last Updated 2 Apr 2009
Article Copyright 2009 by Nadége Baubant
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid