Click here to Skip to main content
Click here to Skip to main content

A Secure Role-based Windows Form

, 30 Sep 2009 CPOL
Rate this:
Please Sign up or sign in to vote.
This article describes how to implement Role-based Windows Form security. The solution includes a "SecureBaseForm" which allows/denies access to an inheriting Form and may fire the UserIsAllowed or UserIsDenied events.

SecureBaseForm.jpg

Introduction

This Role-based secure base form allows you to implement security on Windows Forms without the necessity to rewrite the basic security handling for each form within your application or project.

Background

As I was in need to restrict access to several forms or to several parts of forms, I was searching for a base form which could deliver this functionality. However, the ones that I came across where limited in their functionality, and therefore I had to look at other ways to achieve this goal. First, I set-up the basic requirements that were needed within this base form:

  1. The base form should not conflict when used in design mode (although basic, there are some issues that need to be considered).
  2. The base form should take the required roles for the form and the user principal (IPrincipal) as parameters in order to validate the access to the form.
  3. The base form should:
    1. Open the form when one of the User-roles is in the Form roles.
    2. Not open the form when none of the User-roles is in the Form roles.
    3. Allow to raise an event when the user is allowed.
    4. Allow to raise an event when the user is denied (this overtakes the second option as the form, in this case, needs to be opened).
  4. Give a validated list of roles that are within the User-Roles and the Form-Roles.

In search for the correct approach

During the search over the internet, I came across this article: Simplified implementation without title, which forms the basic idea for this implementation. However, although simplified, this person describes the approach to take correctly, whereby my interest to use the same skeleton. When testing this approach, I came across one issue: when the form is initialized from the Main method (program.cs), the "Show" or "ShowDialog" methods are not called and will need another means of initialization. Luckily, I came across this article explaining how to approach the issue: Application Architecture in Windows Forms 2.0. The flaw that I cam across with this approach is that it will silently run within the background when the main window is never made visible, but it is a start.

[STAThread]   
static void Main() 
{
    ...
    // Create and show the main form modelessly
    MainForm form = new MainForm(); 
    form.Show();

    // Run the application only when the Form has been created.
    if( form.Created )
        Application.Run();
}

Using the code

Creating the form based on the SecureBaseForm and implementing the security parameters:

public class Form1 : SecureBaseForm
{
    public void Form1(IPrincipal userPrincipal) : 
        base( new string[] { "UserRole1", "UserRole2" }, userPrincipal )
    {
        //
        //    Capture the principal here in case it is needed in a second Form
        //
        InitializeComponents();
    }
}

In the above example, the form user will be allowed when within the user principal either "UserRole1" or the "UserRole2" role is contained. With this example, we can also show the implementation when the user has access to the form, but you want to disable certain features based on one of the roles:

//
// Form1 has the event handling "Form1_UserIsAllowed" defined
//
private void Form1_UserIsAllowed(object sender, EventArgs e)
{
    button1.Enabled = this.ValidatedUserRoles.Contains("UserRole1");
    button2.Enabled = this.ValidatedUserRoles.Contains("UserRole3");
}

Whether the user has the role "UserRole1" or "UserRole2" defined, the appropriate button(s) will be enabled. This same event handling is embedded for "UserIsDenied".

Points of interest

I never was so pleased with implementing security as there will always be weak spots and you have to follow the various forums and alike to keep uptodate. Nevertheless, I think this is a nice approach which will allow my future applications to have a hurdle less.

May you want to comment, please do so...

History

  • Version 1.00 (30 September, 2009) - Hopefully, something can be done on UserControls as well (keep your eyes open).

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Arjo Kalisvaart
Software Developer (Senior) ICTY
Netherlands Netherlands
No Biography provided

Comments and Discussions

 
Questioncomplete project? Pinmemberv.zabavnik5-Jan-10 23:46 
AnswerRe: complete project? PinmemberArjo Kalisvaart6-Jan-10 0:57 
GeneralRe: complete project? Pinmembernagham_4ng21-Aug-11 20:59 
is there a part2 for this article I started using it but I need a form where user can set the permissions himself, such as Form1 has roles Role2,Role3 and so on....do u have such an article?
GeneralRe: complete project? PinmemberArjo Kalisvaart22-Aug-11 9:21 
GeneralUsing attributes to assign roles PinmemberAsher Barak19-Nov-09 3:51 
NewsTest Project is incomplete [modified] Pinmemberarjok2-Oct-09 2:06 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web02 | 2.8.141022.1 | Last Updated 30 Sep 2009
Article Copyright 2009 by Arjo Kalisvaart
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid