Security Application Block in Web Applications
The new Security Application Block in the Enterprise Library Jan
edition authenticates and authorizes users in windows and web
applications.
In an article I wrote, I tackle authorizing users using the Roles provider to create an IPrincipal object and authorize the user for a specific task.
The
security block uses rules-based processing for validating users for
specific tasks. A rule specifies which user or role has permissions to
it. When you authorize a user, you specify the rule name determining if
they have access, and the method returns a boolean value stating that.
It
is important to understand the concept of declaring more rules than are
necessarily needed. Breaking out rules instead of using one rule for
many tasks can make maintenance on an application harder later in the
development cycle, especially if you need to add a role for an action
for only part of the rule. For instance, if you use one rule for
insert, update, and delete actions, but later you want to add a role
for insert and update actions, then you need to change your code.
Otherwise, if the rules were broken out for each action, this
modification is simple.