An interesting
post here describes how to using ASP.NET MVC 4 do do role-based security in an ASP.NET project. The crucial things about security is protecting two things:
- Minimizing the risk of missing to assign security restrictions to controller actions of web functions
- Ensuring that a security survives the open communication of sessions between clinet and server over the network
I usually consider it relevant to isolate the security assignment and the application code. In many systems like the ASP.NET MVC 4 example describes in the article and in other systems like spring and Java frameworks and also for PHP, assignment of role access is identified in the code as an annotation. The point of this is to explain role requirements are specific along the action instead of in web configuration file which maps URLs to control calls - ensuring one point of specification (many different URLs may lead to the same control action).
the problem with this close assignment between role requirements and actions is the risk of not assigning roles of assigning the wrong roles by individuals implementing the action but not in charge of defining security roles or even having the knowledge of who should have access to what actions. For more large scale work the separation of code and security assignment should perhaps be greater.
No comments:
Post a Comment