Secure Your .NET Applications and Integrate Them with Active Directory
0/5 (0 vote)
Mar 2, 2004
9 min read
75201
Free .NET Component for managing users and controlling access to your applications.
This is a showcase review for our sponsors at CodeProject. These reviews are intended to provide you with information on products and services that we consider useful and of value to developers.
Introduction
Do you need one solution for managing users and security in all .NET applications? Or do you need to integrate your applications with Active Directory? PortSight Secure Access can solve most security issues. Even better - you can get it completely free!
Quick Overview
PortSight Secure Access is a .NET component. It provides a database of users, user groups and organizational units and it allows you to control access to your applications. The programming interface can be used in ASP.NET, WinForms and Web Services. The Enterprise Edition allows you to import user accounts from Active Directory, Windows domains and ODBC-enabled databases.
Figure 1 - PortSight Secure Access high-level architecture.
Installation and Application Security Wizard
The installation of PortSight Secure Access is simple - you just go through the wizard and it creates the Secure Access user database and installs the Web-based user interface.
Figure 2 - PortSight Secure Access installation is really smooth.
The Application Configuration Wizard helps you configure security of your ASP.NET application in a few easy steps. You only need to create an empty ASP.NET project and choose the security options in the wizard. You can choose between Forms and Windows authentication. The wizard modifies the virtual directory security settings, copies Secure Access files to your application and modifies the Global.asax file.
Figure 3 - Application Configuration Wizard helps you configure security of your ASP.NET application.
Authentication
After completing the wizard and compilation, your application requires authentication and is fully prepared for implementing authorization and auditing features. If you chose Forms authentication, users have to provide their user name and password. In this case, passwords are stored in the database. You can choose to store only hash of the passwords to avoid password exposure.
Figure 4 - The logon form offers rich functionality, including "Send Forgotten Password" and "Change Expired Password" features. It also enforces the password policy when changing the password.
Customizable User Profiles
User profiles are stored in the database along with other information. The profile contains the most common fields, such as user name, full name, e-mail address or shipping address. But the default fields do not limit you - you can add any number of custom properties to the user profile. You can use these fields for storing user preferences and settings.
Figure 5 - User profile can contain any number of your custom properties.
Authorization - Controlling Access to Application Modules
PortSight Secure Access allows you to control access to particular modules or features. It provides a variety of authorization methods.
Checking Membership in Groups and Organizational Units
The most simple authorization method is checking user's membership in a particular group or organizational unit.Code 1 - Checking user membership.
[VB.NET]
If ARHelper.IsMember("JohnD", "PMs") Then ...
[C#]
If (ARHelper.IsMember("JohnD", "PMs") { ...
Role-based Security
A more advanced and the most common way is using role-based security. You can define any number of roles for each application and assign these roles to users and groups.
Code 2 - Checking if user is member of particular role.
[VB.NET]
If ARHelper.IsInRole("JohnD", "WorkReports.Manager") Then ...
[C#]
If (ARHelper.IsInRole("JohnD", "WorkReports.Manager") { ...
Figure 6 - The Web-based user interface allows you to manage security of your applications from one single point.
Checking User Permissions
Permissions represent the most flexible authorization method. You can define permissions for each application or module and then grant these permissions to users. However, the preferred solution is granting permissions to roles instead of users and assign users (or groups) to these roles. In this way, your customer can easily modify default permissions for particular roles by himself. It also helps you avoid re-writing the application code when a customer decides, "TeamLeaders role members should be allowed to APPROVE in the WORKREPORTS application" instead of "TeamLeaders role members should be only allowed to READ in the WORKREPORTS application".
Code 3 - Checking user permissions.
[VB.NET]
If ARHelper.IsAuthorized("JohnD","WorkReports.ReportViewer","Read") Then ...
[C#]
If (ARHelper.IsAuthorized("JohnD", "WorkReports.ReportViewer", "Read")) {...
Figure 7 - Permissions for particular roles can be easily managed using the Permission Matrix control.
Web Content Authorization
So far, we have mentioned only authorization in your applications. However, PortSight Secure Access allows you to control access to downloading any Web content. You can define the content using the path mask, such as "*.doc" or "/PortSight/secret/img*.jpg" and you can check in your code what permissions (in Secure Access) are required for the files.So far, we have mentioned only authorization in your applications. However, PortSight Secure Access allows you to control access to downloading any Web content. You can define the content using the path mask, such as "*.doc" or "/PortSight/secret/img*.jpg" and you can check in your code what permissions (in Secure Access) are required for the files.
Auditing Trail
An important feature of the application security is auditing of user activities. It can help you detect attacks and attempts at unauthorized access to secret data and also keep track of data modifications. Last but not least, some laws, including the HIPAA rules, require the auditing trail.
Code 4 - Logging activities in the auditing trail is extremely simple.
[VB.NET]
ARHelper.Log("JohnD", "User changed amount to USD 5.90",
"WorkReports.TravelExpenses")
[C#]
ARHelper.Log("JohnD", "User changed amount to USD 5.90",
"WorkReports.TravelExpenses");
Delegation
In some cases, the security of the system requires immediate and frequent changes. When a manager gets new people on the project, it's often necessary to grant them permissions to various applications. With PortSight Secure Access delegation features, the manager can do this without waiting for an administrator. The administrator can easily delegate the management of groups, organizational units and roles to privileged users.
Figure 8 - You can delegate part of the security management to privileged users and avoid administrator's bottleneck. All you have to do is add this user control to your application.
Integration with Active Directory, Windows Domains and Existing Databases
Creating, modifying and deleting users and groups in several systems becomes difficult or even impossible as the number of systems grows. Although PortSight Secure Access has its own user database, this doesn't mean that it's another headache for your administrator.
It allows you to set up a regular import from Microsoft Active Directory, Windows domains and existing ODBC-enabled databases. You can import user accounts as well as user groups, organizational units and membership information. When you update the user's e-mail address in Active Directory, the change is automatically copied to your Secure Access database during the periodical import, ensuring that your application works with the latest data.
Figure 9 - You can map source properties to Secure Access fields in the Import Wizard.
Reusable User Controls
Secure Access is delivered with several ASP.NET user controls, such as:
- Logon Form
- Send Forgotten Password
- Change Password
- List of Users
- Control for selection of single or multiple users
- ... and others.
The WinForms user controls include "Logon Form" and "Change Password" dialogs.
Figure 10 - Selection of multiple users doesn't require any difficult coding.
One Solution for All Platforms
PortSight Secure Access 2.0 supports not only ASP.NET applications, but also WinForms and Web Services. The WinForms applications can use either Secure Access components directly or - preferably - they can consume Secure Access Web Service that provides the most frequent methods to the client applications. Using this Web Service, you can use Secure Access features on virtually any platform or device with Web Services support.
The new Secure Access version comes also with support for securing your own Web Services. It uses Microsoft Web Services Enhancements to implement the WS-Security standard. The users of your Web Service need to provide their user name and password to call Web Service methods and your Web Service can check client's roles and permissions.
Figure 11 - PortSight Secure Access now secures also WinForms and Web Services. It's delivered with "Logon Form" and "Change Password" controls for WinForms.
Secure Your Applications with Free Community Edition
PortSight has also released a free edition of Secure Access - the Community Edition. It's available for download on http://www.portsight.com/SecureAccess. It's limited to 100 user accounts stored in the database; it doesn't support organizational units and permissions. It's intended for smaller projects and it's free also for commercial use.
Edition Comparison
Table 1 - Available Editions.
|
Edition |
Description |
Price |
|
Community Edition |
- Limited to 100 user accounts. |
Free |
|
Standard Edition |
USD 249 per server | |
|
Enterprise Edition |
- All features of the Standard Edition. |
USD 399 per server |
Table 2 - Feature Comparison...
| Feature |
Community |
Standard | Enterprise |
| Unlimited Number of User Accounts |
NO (100) |
YES |
YES |
| Management of User Profiles and Passwords |
YES |
YES |
YES |
| Management of User Groups |
YES |
YES |
YES |
| Management of Organizational Units |
NO |
YES |
YES |
| Management of Applications |
YES |
YES |
YES |
| Management of Application Parts (Modules) |
NO |
YES |
YES |
| Application Configuration Wizard for ASP.NET |
YES |
YES |
YES |
| ASP.NET - Web Forms Authentication |
YES |
YES |
YES |
| ASP.NET - Windows Authentication |
YES |
YES |
YES |
| ASP.NET - Role-Based Authorization |
YES |
YES |
YES |
|
ASP.NET - Permission-Based Authorization |
NO |
YES |
YES |
| ASP.NET - Auditing |
YES |
YES |
YES |
| ASP.NET - Management of Preferences |
YES |
YES |
YES |
| ASP.NET - Web Farms support |
YES |
YES |
YES |
| ASP.NET - User Controls |
YES |
YES |
YES |
| ASP.NET - Delegation of Administration |
YES |
YES |
YES |
| ASP.NET - Controlling Access to Web Content |
YES |
YES |
YES |
| .NET WinForms Applications - Forms Authentication |
YES |
YES |
YES |
| .NET WinForms Applications - Windows Authentication |
YES |
YES |
YES |
| .NET WinForms Applications - Role-Based Authorization |
YES |
YES |
YES |
|
.NET WinForms Applications - Permission-Based Authorization |
NO |
YES |
YES |
| .NET WinForms Applications - Auditing |
YES |
YES |
YES |
| .NET WinForms Applications - Management of Preferences |
YES |
YES |
YES |
| .NET WinForms Applications - Delegation of Administration |
YES |
YES |
YES |
| .NET WinForms Applications - Logon Control |
YES |
YES |
YES |
| ASP.NET Web Services - Authentication using WS-Security |
YES |
YES |
YES |
| ASP.NET Web Services - Role-Based Authorization |
YES |
YES |
YES |
|
ASP.NET Web Services - Permission-Based Authorization |
NO |
YES |
YES |
| ASP.NET Web Services - Auditing |
YES |
YES |
YES |
| ASP.NET Web Services - Management of Preferences |
YES |
YES |
YES |
| ASP.NET Web Services - Delegation of Administration |
YES |
YES |
YES |
| Import from Microsoft Active Directory |
NO |
NO |
YES |
| Import from Microsoft Windows NT Domains |
NO |
NO |
YES |
| Import from ODBC databases |
NO |
NO |
YES |
It's Your Choice
When considering the user management and access control solution for your next project, try to answer the following questions:
- How do I secure my application?
- How secure and flexible is my solution?
- How do I integrate my application with existing user databases?
And - of course: How many hours will I spend designing and implementing these features?
Please visit www.PortSight.com/SecureAccess to find more information, download the free Community Edition or the trial version. You can also see an on-line demo of the Web-based administration interface.
Should you have any questions, please feel free to contact us at support@PortSight.com or use the on-line form at http://www.PortSight.com/questions