Reg Role BAsed security..

Discussion in 'ASP .Net Security' started by Madan Nayak, Feb 6, 2004.

  1. Madan Nayak

    Madan Nayak Guest

    Hi All..

    Can any body detail out the basic diff/advatages/disadvantage over acheiving
    the role based security and the same thing in case of acheived through
    session.....


    Thnaks
    Madan
    Madan Nayak, Feb 6, 2004
    #1
    1. Advertising

  2. ya u can use sesssion with role based security ,

    just put roles from database into session and retrieve roles when required
    .....
    any further help is welcomed

    even 4guys from rolla has good articls





    http://www.eggheadcafe.com/articles/20020906.asp

    --
    Thanks and Regards,

    Amit Agarwal
    Software Programmer(.NET)
    "Madan Nayak" <> wrote in message
    news:...
    > Hi All..
    >
    > Can any body detail out the basic diff/advatages/disadvantage over

    acheiving
    > the role based security and the same thing in case of acheived through
    > session.....
    >
    >
    > Thnaks
    > Madan
    >
    >



    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    .NET Follower, Feb 7, 2004
    #2
    1. Advertising

  3. Madan Nayak

    Madan Nayak Guest

    Hi Amit..

    I think you did not get the issue..
    I had asked the the advntages of using Role baes security over doing the
    same thing in session...

    I know the Rolebased secuirity is a programatic approach.......Session has
    its own disadvantages....

    Apart frrom that how do I convince a developerr that Role based securrrity
    is good ans safe....

    Pl. advise.
    Madan
    ".NET Follower" <> wrote in message
    news:%...
    >
    >
    > ya u can use sesssion with role based security ,
    >
    > just put roles from database into session and retrieve roles when required
    > ....
    > any further help is welcomed
    >
    > even 4guys from rolla has good articls
    >
    >
    >
    >
    >
    > http://www.eggheadcafe.com/articles/20020906.asp
    >
    > --
    > Thanks and Regards,
    >
    > Amit Agarwal
    > Software Programmer(.NET)
    > "Madan Nayak" <> wrote in message
    > news:...
    > > Hi All..
    > >
    > > Can any body detail out the basic diff/advatages/disadvantage over

    > acheiving
    > > the role based security and the same thing in case of acheived through
    > > session.....
    > >
    > >
    > > Thnaks
    > > Madan
    > >
    > >

    >
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    >
    >
    Madan Nayak, Feb 9, 2004
    #3
  4. Madan Nayak

    Madan Nayak Guest

    Hi

    Does Any one fom microsoft tell me the design goal of rolebased security in
    ..Net framewor???


    ".NET Follower" <> wrote in message
    news:%...
    >
    >
    > ya u can use sesssion with role based security ,
    >
    > just put roles from database into session and retrieve roles when required
    > ....
    > any further help is welcomed
    >
    > even 4guys from rolla has good articls
    >
    >
    >
    >
    >
    > http://www.eggheadcafe.com/articles/20020906.asp
    >
    > --
    > Thanks and Regards,
    >
    > Amit Agarwal
    > Software Programmer(.NET)
    > "Madan Nayak" <> wrote in message
    > news:...
    > > Hi All..
    > >
    > > Can any body detail out the basic diff/advatages/disadvantage over

    > acheiving
    > > the role based security and the same thing in case of acheived through
    > > session.....
    > >
    > >
    > > Thnaks
    > > Madan
    > >
    > >

    >
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    >
    >
    Madan Nayak, Feb 9, 2004
    #4
  5. actually what prob r u having
    can u state that



    --
    Thanks and Regards,

    Amit Agarwal
    Software Programmer(.NET)
    "Madan Nayak" <> wrote in message
    news:...
    > Hi
    >
    > Does Any one fom microsoft tell me the design goal of rolebased security

    in
    > .Net framewor???
    >
    >
    > ".NET Follower" <> wrote in message
    > news:%...
    > >
    > >
    > > ya u can use sesssion with role based security ,
    > >
    > > just put roles from database into session and retrieve roles when

    required
    > > ....
    > > any further help is welcomed
    > >
    > > even 4guys from rolla has good articls
    > >
    > >
    > >
    > >
    > >
    > > http://www.eggheadcafe.com/articles/20020906.asp
    > >
    > > --
    > > Thanks and Regards,
    > >
    > > Amit Agarwal
    > > Software Programmer(.NET)
    > > "Madan Nayak" <> wrote in message
    > > news:...
    > > > Hi All..
    > > >
    > > > Can any body detail out the basic diff/advatages/disadvantage over

    > > acheiving
    > > > the role based security and the same thing in case of acheived through
    > > > session.....
    > > >
    > > >
    > > > Thnaks
    > > > Madan
    > > >
    > > >

    > >
    > >
    > > ---
    > > Outgoing mail is certified Virus Free.
    > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    > >
    > >

    >
    >



    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    .NET Follower, Feb 9, 2004
    #5
  6. Madan Nayak

    Madan Nayak Guest

    Hi Amit..

    I just want to know why should I go for the role base securrity, which I can
    achieve by using sessions?

    I think I am now much clear.

    Thanks In Advance.
    Madan

    ".NET Follower" <> wrote in message
    news:%...
    > actually what prob r u having
    > can u state that
    >
    >
    >
    > --
    > Thanks and Regards,
    >
    > Amit Agarwal
    > Software Programmer(.NET)
    > "Madan Nayak" <> wrote in message
    > news:...
    > > Hi
    > >
    > > Does Any one fom microsoft tell me the design goal of rolebased security

    > in
    > > .Net framewor???
    > >
    > >
    > > ".NET Follower" <> wrote in message
    > > news:%...
    > > >
    > > >
    > > > ya u can use sesssion with role based security ,
    > > >
    > > > just put roles from database into session and retrieve roles when

    > required
    > > > ....
    > > > any further help is welcomed
    > > >
    > > > even 4guys from rolla has good articls
    > > >
    > > >
    > > >
    > > >
    > > >
    > > > http://www.eggheadcafe.com/articles/20020906.asp
    > > >
    > > > --
    > > > Thanks and Regards,
    > > >
    > > > Amit Agarwal
    > > > Software Programmer(.NET)
    > > > "Madan Nayak" <> wrote in message
    > > > news:...
    > > > > Hi All..
    > > > >
    > > > > Can any body detail out the basic diff/advatages/disadvantage over
    > > > acheiving
    > > > > the role based security and the same thing in case of acheived

    through
    > > > > session.....
    > > > >
    > > > >
    > > > > Thnaks
    > > > > Madan
    > > > >
    > > > >
    > > >
    > > >
    > > > ---
    > > > Outgoing mail is certified Virus Free.
    > > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    > > >
    > > >

    > >
    > >

    >
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    >
    >
    Madan Nayak, Feb 9, 2004
    #6
  7. Role-based security in .NET allows you to allow or deny access to
    functionality within your code based on a user's identity and role
    membership. ASP.NET session state is just a storage container for data
    associated with a given web session.

    Role-based security in .NET is deeply embedded in the API. This is evident
    through the System.Security.Principal namespace, PrincipalPermission and
    PrincipalPermissionAttribute classes, and Thread.CurrentPrincipal member.
    There is also strong integration support for it in ASP.NET, both with
    Windows authentication and Forms authentication with the FormsPrincipal
    class.

    So, essentially I would tell you to use role-based security when it is
    appropriate. This will give you the most consistent method of using
    role-based security and allow you to take advantage of all of the built-in
    platform service support for it. If your web application requires it, it is
    certainly okay to store your principal information in Session state in order
    to save extra lookups to the store, so you may use the two together. You
    may also use the cache for this.

    I hope that helps some. If you have more detailed questions, please ask.

    Joe K.

    "Madan Nayak" <> wrote in message
    news:...
    > Hi Amit..
    >
    > I just want to know why should I go for the role base securrity, which I

    can
    > achieve by using sessions?
    >
    > I think I am now much clear.
    >
    > Thanks In Advance.
    > Madan
    >
    > ".NET Follower" <> wrote in message
    > news:%...
    > > actually what prob r u having
    > > can u state that
    > >
    > >
    > >
    > > --
    > > Thanks and Regards,
    > >
    > > Amit Agarwal
    > > Software Programmer(.NET)
    > > "Madan Nayak" <> wrote in message
    > > news:...
    > > > Hi
    > > >
    > > > Does Any one fom microsoft tell me the design goal of rolebased

    security
    > > in
    > > > .Net framewor???
    > > >
    > > >
    > > > ".NET Follower" <> wrote in message
    > > > news:%...
    > > > >
    > > > >
    > > > > ya u can use sesssion with role based security ,
    > > > >
    > > > > just put roles from database into session and retrieve roles when

    > > required
    > > > > ....
    > > > > any further help is welcomed
    > > > >
    > > > > even 4guys from rolla has good articls
    > > > >
    > > > >
    > > > >
    > > > >
    > > > >
    > > > > http://www.eggheadcafe.com/articles/20020906.asp
    > > > >
    > > > > --
    > > > > Thanks and Regards,
    > > > >
    > > > > Amit Agarwal
    > > > > Software Programmer(.NET)
    > > > > "Madan Nayak" <> wrote in message
    > > > > news:...
    > > > > > Hi All..
    > > > > >
    > > > > > Can any body detail out the basic diff/advatages/disadvantage over
    > > > > acheiving
    > > > > > the role based security and the same thing in case of acheived

    > through
    > > > > > session.....
    > > > > >
    > > > > >
    > > > > > Thnaks
    > > > > > Madan
    > > > > >
    > > > > >
    > > > >
    > > > >
    > > > > ---
    > > > > Outgoing mail is certified Virus Free.
    > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > > > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >
    > > ---
    > > Outgoing mail is certified Virus Free.
    > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    > >
    > >

    >
    >
    Joe Kaplan \(MVP - ADSI\), Feb 9, 2004
    #7
  8. just as there is a method of USer.IsInRole
    to check whom to give access..
    we can even write our method
    like the above
    so we will retrieve from session the groups and check in the function
    whether the user belongs to the group

    so there is no need of the Pricipal classes and stuff????/

    please clarify??

    --
    Thanks and Regards,

    Amit Agarwal
    Software Programmer(.NET)
    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:%2353G$...
    > Role-based security in .NET allows you to allow or deny access to
    > functionality within your code based on a user's identity and role
    > membership. ASP.NET session state is just a storage container for data
    > associated with a given web session.
    >
    > Role-based security in .NET is deeply embedded in the API. This is

    evident
    > through the System.Security.Principal namespace, PrincipalPermission and
    > PrincipalPermissionAttribute classes, and Thread.CurrentPrincipal member.
    > There is also strong integration support for it in ASP.NET, both with
    > Windows authentication and Forms authentication with the FormsPrincipal
    > class.
    >
    > So, essentially I would tell you to use role-based security when it is
    > appropriate. This will give you the most consistent method of using
    > role-based security and allow you to take advantage of all of the built-in
    > platform service support for it. If your web application requires it, it

    is
    > certainly okay to store your principal information in Session state in

    order
    > to save extra lookups to the store, so you may use the two together. You
    > may also use the cache for this.
    >
    > I hope that helps some. If you have more detailed questions, please ask.
    >
    > Joe K.
    >
    > "Madan Nayak" <> wrote in message
    > news:...
    > > Hi Amit..
    > >
    > > I just want to know why should I go for the role base securrity, which I

    > can
    > > achieve by using sessions?
    > >
    > > I think I am now much clear.
    > >
    > > Thanks In Advance.
    > > Madan
    > >
    > > ".NET Follower" <> wrote in message
    > > news:%...
    > > > actually what prob r u having
    > > > can u state that
    > > >
    > > >
    > > >
    > > > --
    > > > Thanks and Regards,
    > > >
    > > > Amit Agarwal
    > > > Software Programmer(.NET)
    > > > "Madan Nayak" <> wrote in message
    > > > news:...
    > > > > Hi
    > > > >
    > > > > Does Any one fom microsoft tell me the design goal of rolebased

    > security
    > > > in
    > > > > .Net framewor???
    > > > >
    > > > >
    > > > > ".NET Follower" <> wrote in message
    > > > > news:%...
    > > > > >
    > > > > >
    > > > > > ya u can use sesssion with role based security ,
    > > > > >
    > > > > > just put roles from database into session and retrieve roles when
    > > > required
    > > > > > ....
    > > > > > any further help is welcomed
    > > > > >
    > > > > > even 4guys from rolla has good articls
    > > > > >
    > > > > >
    > > > > >
    > > > > >
    > > > > >
    > > > > > http://www.eggheadcafe.com/articles/20020906.asp
    > > > > >
    > > > > > --
    > > > > > Thanks and Regards,
    > > > > >
    > > > > > Amit Agarwal
    > > > > > Software Programmer(.NET)
    > > > > > "Madan Nayak" <> wrote in message
    > > > > > news:...
    > > > > > > Hi All..
    > > > > > >
    > > > > > > Can any body detail out the basic diff/advatages/disadvantage

    over
    > > > > > acheiving
    > > > > > > the role based security and the same thing in case of acheived

    > > through
    > > > > > > session.....
    > > > > > >
    > > > > > >
    > > > > > > Thnaks
    > > > > > > Madan
    > > > > > >
    > > > > > >
    > > > > >
    > > > > >
    > > > > > ---
    > > > > > Outgoing mail is certified Virus Free.
    > > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > > > > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    > > > > >
    > > > > >
    > > > >
    > > > >
    > > >
    > > >
    > > > ---
    > > > Outgoing mail is certified Virus Free.
    > > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    > > >
    > > >

    > >
    > >

    >
    >



    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    .NET Follower, Feb 10, 2004
    #8
  9. I'm not saying you have to use the IPrincipal class, I'm just suggesting
    that you should use it where appropriate.

    With IPrincipal, you get a lot more support from the Framework. For
    example, if you use Windows authentication in IIS, the IPrincipal in the
    current HttpContext will already contain a WindowsPrincipal that has all of
    the user's domain groups in it. You don't have to do anything. IPrincipal
    lets you use the PrincipalPermission class as well as the
    PrincipalPermissionAttribute class, so that you you can just add attributes
    to you code to allow access.

    IPrincipal integrates with the UrlAuthorizationModule, so you can allow and
    deny access to various resources in your ASP.NET application via the
    <allow/> and <deny/> tags in web.config.

    Finally, IPrincipal is associated with the currently executing thread, so
    you can get the IPrincipal associated with the request from components that
    have no reference to your ASP.NET code or session variables by simply
    calling Thread.CurrentThread.CurrentPrincipal (or using the
    PrincipalPermission or PrincipalPermissionAttribute classes). Thus if your
    code is factored into several tiers (as is the generally recommended .NET
    application architecture), you still have all of these role-based security
    services available to you.

    You don't get any of that extra support by simply having a function and
    using session variables.

    It is still possible to store your role-information in session state if you
    like. In that case, the general practice is to handle the
    Application_AuthenticateRequest event in global.asax and create the
    IPrincipal object based on your stored groups in that function. Thus it is
    very easy to integrate into the .NET role-based security framework. You can
    also do this in an HttpModule very easily. This isn't really significantly
    more work than writing a function to check group membership.

    So, I'm not saying that you have to use IPrincipal. I'm simply suggesting
    that there are some compelling benefits you get from using the APIs the way
    they were intended and it isn't very difficult to integrate with the system.

    HTH,

    Joe K.

    ".NET Follower" <> wrote in message
    news:u%...
    > just as there is a method of USer.IsInRole
    > to check whom to give access..
    > we can even write our method
    > like the above
    > so we will retrieve from session the groups and check in the function
    > whether the user belongs to the group
    >
    > so there is no need of the Pricipal classes and stuff????/
    >
    > please clarify??
    >
    > --
    > Thanks and Regards,
    >
    > Amit Agarwal
    > Software Programmer(.NET)
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:%2353G$...
    > > Role-based security in .NET allows you to allow or deny access to
    > > functionality within your code based on a user's identity and role
    > > membership. ASP.NET session state is just a storage container for data
    > > associated with a given web session.
    > >
    > > Role-based security in .NET is deeply embedded in the API. This is

    > evident
    > > through the System.Security.Principal namespace, PrincipalPermission and
    > > PrincipalPermissionAttribute classes, and Thread.CurrentPrincipal

    member.
    > > There is also strong integration support for it in ASP.NET, both with
    > > Windows authentication and Forms authentication with the FormsPrincipal
    > > class.
    > >
    > > So, essentially I would tell you to use role-based security when it is
    > > appropriate. This will give you the most consistent method of using
    > > role-based security and allow you to take advantage of all of the

    built-in
    > > platform service support for it. If your web application requires it,

    it
    > is
    > > certainly okay to store your principal information in Session state in

    > order
    > > to save extra lookups to the store, so you may use the two together.

    You
    > > may also use the cache for this.
    > >
    > > I hope that helps some. If you have more detailed questions, please

    ask.
    > >
    > > Joe K.
    > >
    > > "Madan Nayak" <> wrote in message
    > > news:...
    > > > Hi Amit..
    > > >
    > > > I just want to know why should I go for the role base securrity, which

    I
    > > can
    > > > achieve by using sessions?
    > > >
    > > > I think I am now much clear.
    > > >
    > > > Thanks In Advance.
    > > > Madan
    > > >
    > > > ".NET Follower" <> wrote in message
    > > > news:%...
    > > > > actually what prob r u having
    > > > > can u state that
    > > > >
    > > > >
    > > > >
    > > > > --
    > > > > Thanks and Regards,
    > > > >
    > > > > Amit Agarwal
    > > > > Software Programmer(.NET)
    > > > > "Madan Nayak" <> wrote in message
    > > > > news:...
    > > > > > Hi
    > > > > >
    > > > > > Does Any one fom microsoft tell me the design goal of rolebased

    > > security
    > > > > in
    > > > > > .Net framewor???
    > > > > >
    > > > > >
    > > > > > ".NET Follower" <> wrote in message
    > > > > > news:%...
    > > > > > >
    > > > > > >
    > > > > > > ya u can use sesssion with role based security ,
    > > > > > >
    > > > > > > just put roles from database into session and retrieve roles

    when
    > > > > required
    > > > > > > ....
    > > > > > > any further help is welcomed
    > > > > > >
    > > > > > > even 4guys from rolla has good articls
    > > > > > >
    > > > > > >
    > > > > > >
    > > > > > >
    > > > > > >
    > > > > > > http://www.eggheadcafe.com/articles/20020906.asp
    > > > > > >
    > > > > > > --
    > > > > > > Thanks and Regards,
    > > > > > >
    > > > > > > Amit Agarwal
    > > > > > > Software Programmer(.NET)
    > > > > > > "Madan Nayak" <> wrote in message
    > > > > > > news:...
    > > > > > > > Hi All..
    > > > > > > >
    > > > > > > > Can any body detail out the basic diff/advatages/disadvantage

    > over
    > > > > > > acheiving
    > > > > > > > the role based security and the same thing in case of acheived
    > > > through
    > > > > > > > session.....
    > > > > > > >
    > > > > > > >
    > > > > > > > Thnaks
    > > > > > > > Madan
    > > > > > > >
    > > > > > > >
    > > > > > >
    > > > > > >
    > > > > > > ---
    > > > > > > Outgoing mail is certified Virus Free.
    > > > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > > > > > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    > > > > > >
    > > > > > >
    > > > > >
    > > > > >
    > > > >
    > > > >
    > > > > ---
    > > > > Outgoing mail is certified Virus Free.
    > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > > > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    >
    >
    Joe Kaplan \(MVP - ADSI\), Feb 10, 2004
    #9
  10. Madan Nayak

    Madan Nayak Guest

    Hi Joe.

    I have used Role based security with Custom Principal.

    My question is the same security I can achive by using session.

    So what are the advantages of using rolebased security..over using session..

    I know few advantages.. Like it is a better programatic approach... Only I
    have to check IS InRole()....

    What else...

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:O2CTow%...
    > I'm not saying you have to use the IPrincipal class, I'm just suggesting
    > that you should use it where appropriate.
    >
    > With IPrincipal, you get a lot more support from the Framework. For
    > example, if you use Windows authentication in IIS, the IPrincipal in the
    > current HttpContext will already contain a WindowsPrincipal that has all

    of
    > the user's domain groups in it. You don't have to do anything.

    IPrincipal
    > lets you use the PrincipalPermission class as well as the
    > PrincipalPermissionAttribute class, so that you you can just add

    attributes
    > to you code to allow access.
    >
    > IPrincipal integrates with the UrlAuthorizationModule, so you can allow

    and
    > deny access to various resources in your ASP.NET application via the
    > <allow/> and <deny/> tags in web.config.
    >
    > Finally, IPrincipal is associated with the currently executing thread, so
    > you can get the IPrincipal associated with the request from components

    that
    > have no reference to your ASP.NET code or session variables by simply
    > calling Thread.CurrentThread.CurrentPrincipal (or using the
    > PrincipalPermission or PrincipalPermissionAttribute classes). Thus if

    your
    > code is factored into several tiers (as is the generally recommended .NET
    > application architecture), you still have all of these role-based security
    > services available to you.
    >
    > You don't get any of that extra support by simply having a function and
    > using session variables.
    >
    > It is still possible to store your role-information in session state if

    you
    > like. In that case, the general practice is to handle the
    > Application_AuthenticateRequest event in global.asax and create the
    > IPrincipal object based on your stored groups in that function. Thus it

    is
    > very easy to integrate into the .NET role-based security framework. You

    can
    > also do this in an HttpModule very easily. This isn't really

    significantly
    > more work than writing a function to check group membership.
    >
    > So, I'm not saying that you have to use IPrincipal. I'm simply suggesting
    > that there are some compelling benefits you get from using the APIs the

    way
    > they were intended and it isn't very difficult to integrate with the

    system.
    >
    > HTH,
    >
    > Joe K.
    >
    > ".NET Follower" <> wrote in message
    > news:u%...
    > > just as there is a method of USer.IsInRole
    > > to check whom to give access..
    > > we can even write our method
    > > like the above
    > > so we will retrieve from session the groups and check in the function
    > > whether the user belongs to the group
    > >
    > > so there is no need of the Pricipal classes and stuff????/
    > >
    > > please clarify??
    > >
    > > --
    > > Thanks and Regards,
    > >
    > > Amit Agarwal
    > > Software Programmer(.NET)
    > > "Joe Kaplan (MVP - ADSI)" <>

    wrote
    > > in message news:%2353G$...
    > > > Role-based security in .NET allows you to allow or deny access to
    > > > functionality within your code based on a user's identity and role
    > > > membership. ASP.NET session state is just a storage container for

    data
    > > > associated with a given web session.
    > > >
    > > > Role-based security in .NET is deeply embedded in the API. This is

    > > evident
    > > > through the System.Security.Principal namespace, PrincipalPermission

    and
    > > > PrincipalPermissionAttribute classes, and Thread.CurrentPrincipal

    > member.
    > > > There is also strong integration support for it in ASP.NET, both with
    > > > Windows authentication and Forms authentication with the

    FormsPrincipal
    > > > class.
    > > >
    > > > So, essentially I would tell you to use role-based security when it is
    > > > appropriate. This will give you the most consistent method of using
    > > > role-based security and allow you to take advantage of all of the

    > built-in
    > > > platform service support for it. If your web application requires it,

    > it
    > > is
    > > > certainly okay to store your principal information in Session state in

    > > order
    > > > to save extra lookups to the store, so you may use the two together.

    > You
    > > > may also use the cache for this.
    > > >
    > > > I hope that helps some. If you have more detailed questions, please

    > ask.
    > > >
    > > > Joe K.
    > > >
    > > > "Madan Nayak" <> wrote in message
    > > > news:...
    > > > > Hi Amit..
    > > > >
    > > > > I just want to know why should I go for the role base securrity,

    which
    > I
    > > > can
    > > > > achieve by using sessions?
    > > > >
    > > > > I think I am now much clear.
    > > > >
    > > > > Thanks In Advance.
    > > > > Madan
    > > > >
    > > > > ".NET Follower" <> wrote in message
    > > > > news:%...
    > > > > > actually what prob r u having
    > > > > > can u state that
    > > > > >
    > > > > >
    > > > > >
    > > > > > --
    > > > > > Thanks and Regards,
    > > > > >
    > > > > > Amit Agarwal
    > > > > > Software Programmer(.NET)
    > > > > > "Madan Nayak" <> wrote in message
    > > > > > news:...
    > > > > > > Hi
    > > > > > >
    > > > > > > Does Any one fom microsoft tell me the design goal of rolebased
    > > > security
    > > > > > in
    > > > > > > .Net framewor???
    > > > > > >
    > > > > > >
    > > > > > > ".NET Follower" <> wrote in message
    > > > > > > news:%...
    > > > > > > >
    > > > > > > >
    > > > > > > > ya u can use sesssion with role based security ,
    > > > > > > >
    > > > > > > > just put roles from database into session and retrieve roles

    > when
    > > > > > required
    > > > > > > > ....
    > > > > > > > any further help is welcomed
    > > > > > > >
    > > > > > > > even 4guys from rolla has good articls
    > > > > > > >
    > > > > > > >
    > > > > > > >
    > > > > > > >
    > > > > > > >
    > > > > > > > http://www.eggheadcafe.com/articles/20020906.asp
    > > > > > > >
    > > > > > > > --
    > > > > > > > Thanks and Regards,
    > > > > > > >
    > > > > > > > Amit Agarwal
    > > > > > > > Software Programmer(.NET)
    > > > > > > > "Madan Nayak" <> wrote in message
    > > > > > > > news:...
    > > > > > > > > Hi All..
    > > > > > > > >
    > > > > > > > > Can any body detail out the basic

    diff/advatages/disadvantage
    > > over
    > > > > > > > acheiving
    > > > > > > > > the role based security and the same thing in case of

    acheived
    > > > > through
    > > > > > > > > session.....
    > > > > > > > >
    > > > > > > > >
    > > > > > > > > Thnaks
    > > > > > > > > Madan
    > > > > > > > >
    > > > > > > > >
    > > > > > > >
    > > > > > > >
    > > > > > > > ---
    > > > > > > > Outgoing mail is certified Virus Free.
    > > > > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > > > > > > Version: 6.0.580 / Virus Database: 367 - Release Date:

    2/6/2004
    > > > > > > >
    > > > > > > >
    > > > > > >
    > > > > > >
    > > > > >
    > > > > >
    > > > > > ---
    > > > > > Outgoing mail is certified Virus Free.
    > > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > > > > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    > > > > >
    > > > > >
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >
    > > ---
    > > Outgoing mail is certified Virus Free.
    > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    > >
    > >

    >
    >
    Madan Nayak, Feb 11, 2004
    #10
  11. I thought I just explained all of the additional advantages you get with
    using IPrincipal in my previous post (which is quoted below). Those were
    all the advantages I could think of. Do you need more?

    Joe K.

    "Madan Nayak" <> wrote in message
    news:%...
    > Hi Joe.
    >
    > I have used Role based security with Custom Principal.
    >
    > My question is the same security I can achive by using session.
    >
    > So what are the advantages of using rolebased security..over using

    session..
    >
    > I know few advantages.. Like it is a better programatic approach... Only I
    > have to check IS InRole()....
    >
    > What else...
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:O2CTow%...
    > > I'm not saying you have to use the IPrincipal class, I'm just suggesting
    > > that you should use it where appropriate.
    > >
    > > With IPrincipal, you get a lot more support from the Framework. For
    > > example, if you use Windows authentication in IIS, the IPrincipal in the
    > > current HttpContext will already contain a WindowsPrincipal that has all

    > of
    > > the user's domain groups in it. You don't have to do anything.

    > IPrincipal
    > > lets you use the PrincipalPermission class as well as the
    > > PrincipalPermissionAttribute class, so that you you can just add

    > attributes
    > > to you code to allow access.
    > >
    > > IPrincipal integrates with the UrlAuthorizationModule, so you can allow

    > and
    > > deny access to various resources in your ASP.NET application via the
    > > <allow/> and <deny/> tags in web.config.
    > >
    > > Finally, IPrincipal is associated with the currently executing thread,

    so
    > > you can get the IPrincipal associated with the request from components

    > that
    > > have no reference to your ASP.NET code or session variables by simply
    > > calling Thread.CurrentThread.CurrentPrincipal (or using the
    > > PrincipalPermission or PrincipalPermissionAttribute classes). Thus if

    > your
    > > code is factored into several tiers (as is the generally recommended

    ..NET
    > > application architecture), you still have all of these role-based

    security
    > > services available to you.
    > >
    > > You don't get any of that extra support by simply having a function and
    > > using session variables.
    > >
    > > It is still possible to store your role-information in session state if

    > you
    > > like. In that case, the general practice is to handle the
    > > Application_AuthenticateRequest event in global.asax and create the
    > > IPrincipal object based on your stored groups in that function. Thus it

    > is
    > > very easy to integrate into the .NET role-based security framework. You

    > can
    > > also do this in an HttpModule very easily. This isn't really

    > significantly
    > > more work than writing a function to check group membership.
    > >
    > > So, I'm not saying that you have to use IPrincipal. I'm simply

    suggesting
    > > that there are some compelling benefits you get from using the APIs the

    > way
    > > they were intended and it isn't very difficult to integrate with the

    > system.
    > >
    > > HTH,
    > >
    > > Joe K.
    > >
    > > ".NET Follower" <> wrote in message
    > > news:u%...
    > > > just as there is a method of USer.IsInRole
    > > > to check whom to give access..
    > > > we can even write our method
    > > > like the above
    > > > so we will retrieve from session the groups and check in the function
    > > > whether the user belongs to the group
    > > >
    > > > so there is no need of the Pricipal classes and stuff????/
    > > >
    > > > please clarify??
    > > >
    > > > --
    > > > Thanks and Regards,
    > > >
    > > > Amit Agarwal
    > > > Software Programmer(.NET)
    > > > "Joe Kaplan (MVP - ADSI)" <>

    > wrote
    > > > in message news:%2353G$...
    > > > > Role-based security in .NET allows you to allow or deny access to
    > > > > functionality within your code based on a user's identity and role
    > > > > membership. ASP.NET session state is just a storage container for

    > data
    > > > > associated with a given web session.
    > > > >
    > > > > Role-based security in .NET is deeply embedded in the API. This is
    > > > evident
    > > > > through the System.Security.Principal namespace, PrincipalPermission

    > and
    > > > > PrincipalPermissionAttribute classes, and Thread.CurrentPrincipal

    > > member.
    > > > > There is also strong integration support for it in ASP.NET, both

    with
    > > > > Windows authentication and Forms authentication with the

    > FormsPrincipal
    > > > > class.
    > > > >
    > > > > So, essentially I would tell you to use role-based security when it

    is
    > > > > appropriate. This will give you the most consistent method of using
    > > > > role-based security and allow you to take advantage of all of the

    > > built-in
    > > > > platform service support for it. If your web application requires

    it,
    > > it
    > > > is
    > > > > certainly okay to store your principal information in Session state

    in
    > > > order
    > > > > to save extra lookups to the store, so you may use the two together.

    > > You
    > > > > may also use the cache for this.
    > > > >
    > > > > I hope that helps some. If you have more detailed questions, please

    > > ask.
    > > > >
    > > > > Joe K.
    > > > >
    > > > > "Madan Nayak" <> wrote in message
    > > > > news:...
    > > > > > Hi Amit..
    > > > > >
    > > > > > I just want to know why should I go for the role base securrity,

    > which
    > > I
    > > > > can
    > > > > > achieve by using sessions?
    > > > > >
    > > > > > I think I am now much clear.
    > > > > >
    > > > > > Thanks In Advance.
    > > > > > Madan
    > > > > >
    > > > > > ".NET Follower" <> wrote in message
    > > > > > news:%...
    > > > > > > actually what prob r u having
    > > > > > > can u state that
    > > > > > >
    > > > > > >
    > > > > > >
    > > > > > > --
    > > > > > > Thanks and Regards,
    > > > > > >
    > > > > > > Amit Agarwal
    > > > > > > Software Programmer(.NET)
    > > > > > > "Madan Nayak" <> wrote in message
    > > > > > > news:...
    > > > > > > > Hi
    > > > > > > >
    > > > > > > > Does Any one fom microsoft tell me the design goal of

    rolebased
    > > > > security
    > > > > > > in
    > > > > > > > .Net framewor???
    > > > > > > >
    > > > > > > >
    > > > > > > > ".NET Follower" <> wrote in

    message
    > > > > > > > news:%...
    > > > > > > > >
    > > > > > > > >
    > > > > > > > > ya u can use sesssion with role based security ,
    > > > > > > > >
    > > > > > > > > just put roles from database into session and retrieve roles

    > > when
    > > > > > > required
    > > > > > > > > ....
    > > > > > > > > any further help is welcomed
    > > > > > > > >
    > > > > > > > > even 4guys from rolla has good articls
    > > > > > > > >
    > > > > > > > >
    > > > > > > > >
    > > > > > > > >
    > > > > > > > >
    > > > > > > > > http://www.eggheadcafe.com/articles/20020906.asp
    > > > > > > > >
    > > > > > > > > --
    > > > > > > > > Thanks and Regards,
    > > > > > > > >
    > > > > > > > > Amit Agarwal
    > > > > > > > > Software Programmer(.NET)
    > > > > > > > > "Madan Nayak" <> wrote in message
    > > > > > > > > news:...
    > > > > > > > > > Hi All..
    > > > > > > > > >
    > > > > > > > > > Can any body detail out the basic

    > diff/advatages/disadvantage
    > > > over
    > > > > > > > > acheiving
    > > > > > > > > > the role based security and the same thing in case of

    > acheived
    > > > > > through
    > > > > > > > > > session.....
    > > > > > > > > >
    > > > > > > > > >
    > > > > > > > > > Thnaks
    > > > > > > > > > Madan
    > > > > > > > > >
    > > > > > > > > >
    > > > > > > > >
    > > > > > > > >
    > > > > > > > > ---
    > > > > > > > > Outgoing mail is certified Virus Free.
    > > > > > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > > > > > > > Version: 6.0.580 / Virus Database: 367 - Release Date:

    > 2/6/2004
    > > > > > > > >
    > > > > > > > >
    > > > > > > >
    > > > > > > >
    > > > > > >
    > > > > > >
    > > > > > > ---
    > > > > > > Outgoing mail is certified Virus Free.
    > > > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > > > > > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    > > > > > >
    > > > > > >
    > > > > >
    > > > > >
    > > > >
    > > > >
    > > >
    > > >
    > > > ---
    > > > Outgoing mail is certified Virus Free.
    > > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    > > >
    > > >

    > >
    > >

    >
    >
    Joe Kaplan \(MVP - ADSI\), Feb 11, 2004
    #11
  12. Madan Nayak

    Madan Nayak Guest

    Thanks Joe.


    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > I thought I just explained all of the additional advantages you get with
    > using IPrincipal in my previous post (which is quoted below). Those were
    > all the advantages I could think of. Do you need more?
    >
    > Joe K.
    >
    > "Madan Nayak" <> wrote in message
    > news:%...
    > > Hi Joe.
    > >
    > > I have used Role based security with Custom Principal.
    > >
    > > My question is the same security I can achive by using session.
    > >
    > > So what are the advantages of using rolebased security..over using

    > session..
    > >
    > > I know few advantages.. Like it is a better programatic approach... Only

    I
    > > have to check IS InRole()....
    > >
    > > What else...
    > >
    > > "Joe Kaplan (MVP - ADSI)" <>

    wrote
    > > in message news:O2CTow%...
    > > > I'm not saying you have to use the IPrincipal class, I'm just

    suggesting
    > > > that you should use it where appropriate.
    > > >
    > > > With IPrincipal, you get a lot more support from the Framework. For
    > > > example, if you use Windows authentication in IIS, the IPrincipal in

    the
    > > > current HttpContext will already contain a WindowsPrincipal that has

    all
    > > of
    > > > the user's domain groups in it. You don't have to do anything.

    > > IPrincipal
    > > > lets you use the PrincipalPermission class as well as the
    > > > PrincipalPermissionAttribute class, so that you you can just add

    > > attributes
    > > > to you code to allow access.
    > > >
    > > > IPrincipal integrates with the UrlAuthorizationModule, so you can

    allow
    > > and
    > > > deny access to various resources in your ASP.NET application via the
    > > > <allow/> and <deny/> tags in web.config.
    > > >
    > > > Finally, IPrincipal is associated with the currently executing thread,

    > so
    > > > you can get the IPrincipal associated with the request from components

    > > that
    > > > have no reference to your ASP.NET code or session variables by simply
    > > > calling Thread.CurrentThread.CurrentPrincipal (or using the
    > > > PrincipalPermission or PrincipalPermissionAttribute classes). Thus if

    > > your
    > > > code is factored into several tiers (as is the generally recommended

    > .NET
    > > > application architecture), you still have all of these role-based

    > security
    > > > services available to you.
    > > >
    > > > You don't get any of that extra support by simply having a function

    and
    > > > using session variables.
    > > >
    > > > It is still possible to store your role-information in session state

    if
    > > you
    > > > like. In that case, the general practice is to handle the
    > > > Application_AuthenticateRequest event in global.asax and create the
    > > > IPrincipal object based on your stored groups in that function. Thus

    it
    > > is
    > > > very easy to integrate into the .NET role-based security framework.

    You
    > > can
    > > > also do this in an HttpModule very easily. This isn't really

    > > significantly
    > > > more work than writing a function to check group membership.
    > > >
    > > > So, I'm not saying that you have to use IPrincipal. I'm simply

    > suggesting
    > > > that there are some compelling benefits you get from using the APIs

    the
    > > way
    > > > they were intended and it isn't very difficult to integrate with the

    > > system.
    > > >
    > > > HTH,
    > > >
    > > > Joe K.
    > > >
    > > > ".NET Follower" <> wrote in message
    > > > news:u%...
    > > > > just as there is a method of USer.IsInRole
    > > > > to check whom to give access..
    > > > > we can even write our method
    > > > > like the above
    > > > > so we will retrieve from session the groups and check in the

    function
    > > > > whether the user belongs to the group
    > > > >
    > > > > so there is no need of the Pricipal classes and stuff????/
    > > > >
    > > > > please clarify??
    > > > >
    > > > > --
    > > > > Thanks and Regards,
    > > > >
    > > > > Amit Agarwal
    > > > > Software Programmer(.NET)
    > > > > "Joe Kaplan (MVP - ADSI)" <>

    > > wrote
    > > > > in message news:%2353G$...
    > > > > > Role-based security in .NET allows you to allow or deny access to
    > > > > > functionality within your code based on a user's identity and role
    > > > > > membership. ASP.NET session state is just a storage container for

    > > data
    > > > > > associated with a given web session.
    > > > > >
    > > > > > Role-based security in .NET is deeply embedded in the API. This

    is
    > > > > evident
    > > > > > through the System.Security.Principal namespace,

    PrincipalPermission
    > > and
    > > > > > PrincipalPermissionAttribute classes, and Thread.CurrentPrincipal
    > > > member.
    > > > > > There is also strong integration support for it in ASP.NET, both

    > with
    > > > > > Windows authentication and Forms authentication with the

    > > FormsPrincipal
    > > > > > class.
    > > > > >
    > > > > > So, essentially I would tell you to use role-based security when

    it
    > is
    > > > > > appropriate. This will give you the most consistent method of

    using
    > > > > > role-based security and allow you to take advantage of all of the
    > > > built-in
    > > > > > platform service support for it. If your web application requires

    > it,
    > > > it
    > > > > is
    > > > > > certainly okay to store your principal information in Session

    state
    > in
    > > > > order
    > > > > > to save extra lookups to the store, so you may use the two

    together.
    > > > You
    > > > > > may also use the cache for this.
    > > > > >
    > > > > > I hope that helps some. If you have more detailed questions,

    please
    > > > ask.
    > > > > >
    > > > > > Joe K.
    > > > > >
    > > > > > "Madan Nayak" <> wrote in message
    > > > > > news:...
    > > > > > > Hi Amit..
    > > > > > >
    > > > > > > I just want to know why should I go for the role base securrity,

    > > which
    > > > I
    > > > > > can
    > > > > > > achieve by using sessions?
    > > > > > >
    > > > > > > I think I am now much clear.
    > > > > > >
    > > > > > > Thanks In Advance.
    > > > > > > Madan
    > > > > > >
    > > > > > > ".NET Follower" <> wrote in message
    > > > > > > news:%...
    > > > > > > > actually what prob r u having
    > > > > > > > can u state that
    > > > > > > >
    > > > > > > >
    > > > > > > >
    > > > > > > > --
    > > > > > > > Thanks and Regards,
    > > > > > > >
    > > > > > > > Amit Agarwal
    > > > > > > > Software Programmer(.NET)
    > > > > > > > "Madan Nayak" <> wrote in message
    > > > > > > > news:...
    > > > > > > > > Hi
    > > > > > > > >
    > > > > > > > > Does Any one fom microsoft tell me the design goal of

    > rolebased
    > > > > > security
    > > > > > > > in
    > > > > > > > > .Net framewor???
    > > > > > > > >
    > > > > > > > >
    > > > > > > > > ".NET Follower" <> wrote in

    > message
    > > > > > > > > news:%...
    > > > > > > > > >
    > > > > > > > > >
    > > > > > > > > > ya u can use sesssion with role based security ,
    > > > > > > > > >
    > > > > > > > > > just put roles from database into session and retrieve

    roles
    > > > when
    > > > > > > > required
    > > > > > > > > > ....
    > > > > > > > > > any further help is welcomed
    > > > > > > > > >
    > > > > > > > > > even 4guys from rolla has good articls
    > > > > > > > > >
    > > > > > > > > >
    > > > > > > > > >
    > > > > > > > > >
    > > > > > > > > >
    > > > > > > > > > http://www.eggheadcafe.com/articles/20020906.asp
    > > > > > > > > >
    > > > > > > > > > --
    > > > > > > > > > Thanks and Regards,
    > > > > > > > > >
    > > > > > > > > > Amit Agarwal
    > > > > > > > > > Software Programmer(.NET)
    > > > > > > > > > "Madan Nayak" <> wrote in message
    > > > > > > > > > news:...
    > > > > > > > > > > Hi All..
    > > > > > > > > > >
    > > > > > > > > > > Can any body detail out the basic

    > > diff/advatages/disadvantage
    > > > > over
    > > > > > > > > > acheiving
    > > > > > > > > > > the role based security and the same thing in case of

    > > acheived
    > > > > > > through
    > > > > > > > > > > session.....
    > > > > > > > > > >
    > > > > > > > > > >
    > > > > > > > > > > Thnaks
    > > > > > > > > > > Madan
    > > > > > > > > > >
    > > > > > > > > > >
    > > > > > > > > >
    > > > > > > > > >
    > > > > > > > > > ---
    > > > > > > > > > Outgoing mail is certified Virus Free.
    > > > > > > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > > > > > > > > Version: 6.0.580 / Virus Database: 367 - Release Date:

    > > 2/6/2004
    > > > > > > > > >
    > > > > > > > > >
    > > > > > > > >
    > > > > > > > >
    > > > > > > >
    > > > > > > >
    > > > > > > > ---
    > > > > > > > Outgoing mail is certified Virus Free.
    > > > > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > > > > > > Version: 6.0.580 / Virus Database: 367 - Release Date:

    2/6/2004
    > > > > > > >
    > > > > > > >
    > > > > > >
    > > > > > >
    > > > > >
    > > > > >
    > > > >
    > > > >
    > > > > ---
    > > > > Outgoing mail is certified Virus Free.
    > > > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > > > Version: 6.0.580 / Virus Database: 367 - Release Date: 2/6/2004
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >
    Madan Nayak, Feb 11, 2004
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Stocholm
    Replies:
    2
    Views:
    8,074
    John Saunders
    Aug 23, 2003
  2. Liet Kynes
    Replies:
    0
    Views:
    477
    Liet Kynes
    Nov 26, 2003
  3. Boris Condarco

    Custom Role Based Security

    Boris Condarco, Nov 28, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    836
    Tommy
    Nov 28, 2003
  4. sean

    Role Based Security

    sean, May 27, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    344
    Steve C. Orr [MVP, MCSD]
    May 27, 2004
  5. Kursat
    Replies:
    1
    Views:
    303
    Dominick Baier
    May 7, 2007
Loading...

Share This Page