Security and Audit functionality

[MattC]

Hi,

I have a requirement that security be devised at page level, I'm am also
required to keep an audit trail of who performed what action, when and what
on.

My current solution is as follows:

Create 5 DB tables: Users, SecurityProfiles, SystemTasks, TasksProfileLinks,
Audit.

For this to work each user is given a securityprofileID, a security profile
is told which SystemTasks can be performed (via the TasksProfileLinks
table). As each ASPX page loads it will have hardcoded the name of the
Systemtasks it is designed to perform. It will then take the current
sessions SecurityProfileID and determine if this user is allowed to view the
page, if not then a redirect takes place and the UserID, SystemTask,
DateTime are entered into the audit table.

Although this would work, it does require that each page knows ahead of time
what its SystemTask name is.

Has anyone done something similar to this before and have a better
implementation.

Thanx in advance.

Matt

 

[Raymond Lewallen]

Although this would work, it does require that each page knows ahead of
time

what its SystemTask name is.

I do something very similar. Each user logs into the application under a
particular roleId. For the SystemTask name, I use the class name of the
code behind page. These SystemTasks and roleIds are cross-referenced in a
table that I perform a lookup against. If a record is found, they can see
the page and I record the audit data, otherwise if no record, no can see
page.

To get the name of the class you are currently working in, use:

System.Reflection.MethodBase.GetCurrentMethod().DeclaringType.Name

This is how I solve knowing what the SystemTask is ahead of time, as each
aspx page is a task in our system.

HTH,

Raymond Lewallen

 

[MattC]

Raymond,
Cool solution. Here's a question.

If the call to
'System.Reflection.MethodBase.GetCurrentMethod().DeclaringType.Name' is made
within an ascx file which is a header that i place on every page. Will
..Name return the class name of the control or thepage that contains it?

Thanks

Matt

 

[Prodip Saha]

Security is something very important and most of us(developers) normally
don't pay attention at the beginning. PreRequestHandlerExecute event in the
Global.cs file is a good place to validate the user. Visual Studio .NET by
default don't add this event handler in the Global.cs file so you will have
to add it. One must pass through this event handler for every http request
and it is easy to get the url and other user related information in this
event.

To extend this further--you can even find out who is accessing what page and
when....don't like user X redirect him/her to a designated page...the list
can go on.

protected void Application_PreRequestHandlerExecute(Object sender, EventArgs
e)
{
string sUrl=HttpContext.Current.Request.RawUrl;
if(sUrl.LastIndexOf("/")!=0)
{
sUrl=sUrl.Substring(sUrl.LastIndexOf("/")+1);
}
string sUserName=HttpContext.Current.User.Identity.Name;
}

Hope that helps.
Prodip Saha

 

[Raymond Lewallen]

Problem I ran into originally. It will return the class name of the ascx.
I have an SecurityControl.ascx file, but pass the calling class name as a
parameter into the SecurityControl function that does the validating.

 

[MattC]

Raymond,

The only problem i see with this is that it means you have to have one page
per system feature. For example. Say I wished to have one page that
handled viewing certain data but that would also be used for editing that
same data. Given this solution the call would return the same class name if
you were editing or viewing the data, I need that distinction but without
having a page for viewing a page for editing, etc.

MattC

 

[Raymond Lewallen]

Matt,

Yes, in your scenario, I do see your problem. You may get stuck with static
task names hard coded into the class depending on the current function the
user is performing, of which the code for both tasks are contained.

Sorry I don't have any further input at the moment, if I come up with
something else, I'll post back.

Raymond Lewallen