Secure Your .NET Applications and Integrate Them with Active Directory

This is a showcase review for our sponsors at CodeProject. These reviews are intended to provide you with information on products and services that we consider useful and of value to developers.

Introduction

Do you need one solution for managing users and security in all .NET applications? Or do you need to integrate your applications with Active Directory? PortSight Secure Access can solve most security issues. Even better - you can get it completely free!

• Download Free Community Edition
• Download Trial Version
• View On-Line Demo

Quick Overview

PortSight Secure Access is a .NET component. It provides a database of users, user groups and organizational units and it allows you to control access to your applications. The programming interface can be used in ASP.NET, WinForms and Web Services. The Enterprise Edition allows you to import user accounts from Active Directory, Windows domains and ODBC-enabled databases.

Figure 1 - PortSight Secure Access high-level architecture.

Installation and Application Security Wizard

The installation of PortSight Secure Access is simple - you just go through the wizard and it creates the Secure Access user database and installs the Web-based user interface.

Figure 2 - PortSight Secure Access installation is really smooth.

The Application Configuration Wizard helps you configure security of your ASP.NET application in a few easy steps. You only need to create an empty ASP.NET project and choose the security options in the wizard. You can choose between Forms and Windows authentication. The wizard modifies the virtual directory security settings, copies Secure Access files to your application and modifies the Global.asax file.

Figure 3 - Application Configuration Wizard helps you configure security of your ASP.NET application.

Authentication

After completing the wizard and compilation, your application requires authentication and is fully prepared for implementing authorization and auditing features. If you chose Forms authentication, users have to provide their user name and password. In this case, passwords are stored in the database. You can choose to store only hash of the passwords to avoid password exposure.

Figure 4 - The logon form offers rich functionality, including "Send Forgotten Password" and "Change Expired Password" features. It also enforces the password policy when changing the password.

Customizable User Profiles

User profiles are stored in the database along with other information. The profile contains the most common fields, such as user name, full name, e-mail address or shipping address. But the default fields do not limit you - you can add any number of custom properties to the user profile. You can use these fields for storing user preferences and settings.

Figure 5 - User profile can contain any number of your custom properties.

Authorization - Controlling Access to Application Modules

PortSight Secure Access allows you to control access to particular modules or features. It provides a variety of authorization methods.

Checking Membership in Groups and Organizational Units

The most simple authorization method is checking user's membership in a particular group or organizational unit.

Code 1 - Checking user membership.

[VB.NET]

If ARHelper.IsMember("JohnD", "PMs") Then ... 

[C#]

If (ARHelper.IsMember("JohnD", "PMs") { ... 

Role-based Security

A more advanced and the most common way is using role-based security. You can define any number of roles for each application and assign these roles to users and groups.

Code 2 - Checking if user is member of particular role.

[VB.NET]

If ARHelper.IsInRole("JohnD", "WorkReports.Manager") Then ... 

[C#]

If (ARHelper.IsInRole("JohnD", "WorkReports.Manager") { ... 

Figure 6 - The Web-based user interface allows you to manage security of your applications from one single point.

Checking User Permissions

Permissions represent the most flexible authorization method. You can define permissions for each application or module and then grant these permissions to users. However, the preferred solution is granting permissions to roles instead of users and assign users (or groups) to these roles. In this way, your customer can easily modify default permissions for particular roles by himself. It also helps you avoid re-writing the application code when a customer decides, "TeamLeaders role members should be allowed to APPROVE in the WORKREPORTS application" instead of "TeamLeaders role members should be only allowed to READ in the WORKREPORTS application".

Code 3 - Checking user permissions.

[VB.NET]

If ARHelper.IsAuthorized("JohnD","WorkReports.ReportViewer","Read") Then ...

[C#]

If (ARHelper.IsAuthorized("JohnD", "WorkReports.ReportViewer", "Read")) {...

Figure 7 - Permissions for particular roles can be easily managed using the Permission Matrix control.

Web Content Authorization

So far, we have mentioned only authorization in your applications. However, PortSight Secure Access allows you to control access to downloading any Web content. You can define the content using the path mask, such as "*.doc" or "/PortSight/secret/img*.jpg" and you can check in your code what permissions (in Secure Access) are required for the files.So far, we have mentioned only authorization in your applications. However, PortSight Secure Access allows you to control access to downloading any Web content. You can define the content using the path mask, such as "*.doc" or "/PortSight/secret/img*.jpg" and you can check in your code what permissions (in Secure Access) are required for the files.

Auditing Trail

An important feature of the application security is auditing of user activities. It can help you detect attacks and attempts at unauthorized access to secret data and also keep track of data modifications. Last but not least, some laws, including the HIPAA rules, require the auditing trail.

Code 4 - Logging activities in the auditing trail is extremely simple.

[VB.NET]

ARHelper.Log("JohnD", "User changed amount to USD 5.90", <BR>            "WorkReports.TravelExpenses") 

[C#]

ARHelper.Log("JohnD", "User changed amount to USD 5.90", <BR>             "WorkReports.TravelExpenses"); 

Delegation

In some cases, the security of the system requires immediate and frequent changes. When a manager gets new people on the project, it's often necessary to grant them permissions to various applications. With PortSight Secure Access delegation features, the manager can do this without waiting for an administrator. The administrator can easily delegate the management of groups, organizational units and roles to privileged users.

Figure 8 - You can delegate part of the security management to privileged users and avoid administrator's bottleneck. All you have to do is add this user control to your application.

Integration with Active Directory, Windows Domains and Existing Databases

Creating, modifying and deleting users and groups in several systems becomes difficult or even impossible as the number of systems grows. Although PortSight Secure Access has its own user database, this doesn't mean that it's another headache for your administrator.

It allows you to set up a regular import from Microsoft Active Directory, Windows domains and existing ODBC-enabled databases. You can import user accounts as well as user groups, organizational units and membership information. When you update the user's e-mail address in Active Directory, the change is automatically copied to your Secure Access database during the periodical import, ensuring that your application works with the latest data.

Figure 9 - You can map source properties to Secure Access fields in the Import Wizard.

Reusable User Controls

Secure Access is delivered with several ASP.NET user controls, such as:

• Logon Form
• Send Forgotten Password
• Change Password
• List of Users
• Control for selection of single or multiple users
• ... and others.

The WinForms user controls include "Logon Form" and "Change Password" dialogs.

Figure 10 - Selection of multiple users doesn't require any difficult coding.

One Solution for All Platforms

PortSight Secure Access 2.0 supports not only ASP.NET applications, but also WinForms and Web Services. The WinForms applications can use either Secure Access components directly or - preferably - they can consume Secure Access Web Service that provides the most frequent methods to the client applications. Using this Web Service, you can use Secure Access features on virtually any platform or device with Web Services support.

The new Secure Access version comes also with support for securing your own Web Services. It uses Microsoft Web Services Enhancements to implement the WS-Security standard. The users of your Web Service need to provide their user name and password to call Web Service methods and your Web Service can check client's roles and permissions.

Figure 11 - PortSight Secure Access now secures also WinForms and Web Services. It's delivered with "Logon Form" and "Change Password" controls for WinForms.

Secure Your Applications with Free Community Edition

PortSight has also released a free edition of Secure Access - the Community Edition. It's available for download on http://www.portsight.com/SecureAccess. It's limited to 100 user accounts stored in the database; it doesn't support organizational units and permissions. It's intended for smaller projects and it's free also for commercial use.

Edition Comparison

Table 1 - Available Editions.

Edition	Description	Price
Community Edition	- Limited to 100 user accounts. - Doesn't support organizational units and permissions. - Intended for smaller projects.	Free
Standard Edition		USD 249 per server
Enterprise Edition	- All features of the Standard Edition. - Supports import from Active Directory, Windows domains and ODBC-enabled databases.	USD 399 per server

Table 2 - Feature Comparison...

Feature	Community	Standard	Enterprise
Unlimited Number of User Accounts	NO (100)	YES	YES
Management of User Profiles and Passwords	YES	YES	YES
Management of User Groups	YES	YES	YES
Management of Organizational Units	NO	YES	YES
Management of Applications	YES	YES	YES
Management of Application Parts (Modules)	NO	YES	YES
Application Configuration Wizard for ASP.NET	YES	YES	YES
ASP.NET - Web Forms Authentication	YES	YES	YES
ASP.NET - Windows Authentication	YES	YES	YES
ASP.NET - Role-Based Authorization	YES	YES	YES
ASP.NET - Permission-Based Authorization	NO	YES	YES
ASP.NET - Auditing	YES	YES	YES
ASP.NET - Management of Preferences	YES	YES	YES
ASP.NET - Web Farms support	YES	YES	YES
ASP.NET - User Controls	YES	YES	YES
ASP.NET - Delegation of Administration	YES	YES	YES
ASP.NET - Controlling Access to Web Content	YES	YES	YES
.NET WinForms Applications - Forms Authentication	YES	YES	YES
.NET WinForms Applications - Windows Authentication	YES	YES	YES
.NET WinForms Applications - Role-Based Authorization	YES	YES	YES
.NET WinForms Applications - Permission-Based Authorization	NO	YES	YES
.NET WinForms Applications - Auditing	YES	YES	YES
.NET WinForms Applications - Management of Preferences	YES	YES	YES
.NET WinForms Applications - Delegation of Administration	YES	YES	YES
.NET WinForms Applications - Logon Control	YES	YES	YES
ASP.NET Web Services - Authentication using WS-Security	YES	YES	YES
ASP.NET Web Services - Role-Based Authorization	YES	YES	YES
ASP.NET Web Services - Permission-Based Authorization	NO	YES	YES
ASP.NET Web Services - Auditing	YES	YES	YES
ASP.NET Web Services - Management of Preferences	YES	YES	YES
ASP.NET Web Services - Delegation of Administration	YES	YES	YES
Import from Microsoft Active Directory	NO	NO	YES
Import from Microsoft Windows NT Domains	NO	NO	YES
Import from ODBC databases	NO	NO	YES

It's Your Choice

When considering the user management and access control solution for your next project, try to answer the following questions:

• How do I secure my application?
• How secure and flexible is my solution?
• How do I integrate my application with existing user databases?

And - of course: How many hours will I spend designing and implementing these features?

Please visit www.PortSight.com/SecureAccess to find more information, download the free Community Edition or the trial version. You can also see an on-line demo of the Web-based administration interface.

• Download Free Community Edition
• Download Trial Version
• View On-Line Demo

Should you have any questions, please feel free to contact us at support@PortSight.com or use the on-line form at http://www.PortSight.com/questions