Security and Audit functionality

Discussion in 'ASP .Net Security' started by MattC, May 25, 2004.

  1. MattC

    MattC Guest

    Hi,

    I have a requirement that security be devised at page level, I'm am also
    required to keep an audit trail of who performed what action, when and what
    on.

    My current solution is as follows:

    Create 5 DB tables: Users, SecurityProfiles, SystemTasks, TasksProfileLinks,
    Audit.

    For this to work each user is given a securityprofileID, a security profile
    is told which SystemTasks can be performed (via the TasksProfileLinks
    table). As each ASPX page loads it will have hardcoded the name of the
    Systemtasks it is designed to perform. It will then take the current
    sessions SecurityProfileID and determine if this user is allowed to view the
    page, if not then a redirect takes place and the UserID, SystemTask,
    DateTime are entered into the audit table.

    Although this would work, it does require that each page knows ahead of time
    what its SystemTask name is.

    Has anyone done something similar to this before and have a better
    implementation.

    Thanx in advance.

    Matt
    MattC, May 25, 2004
    #1
    1. Advertising

  2. > Although this would work, it does require that each page knows ahead of
    time
    > what its SystemTask name is.


    I do something very similar. Each user logs into the application under a
    particular roleId. For the SystemTask name, I use the class name of the
    code behind page. These SystemTasks and roleIds are cross-referenced in a
    table that I perform a lookup against. If a record is found, they can see
    the page and I record the audit data, otherwise if no record, no can see
    page.

    To get the name of the class you are currently working in, use:

    System.Reflection.MethodBase.GetCurrentMethod().DeclaringType.Name

    This is how I solve knowing what the SystemTask is ahead of time, as each
    aspx page is a task in our system.

    HTH,

    Raymond Lewallen
    Raymond Lewallen, May 25, 2004
    #2
    1. Advertising

  3. MattC

    MattC Guest

    Raymond,
    Cool solution. Here's a question.

    If the call to
    'System.Reflection.MethodBase.GetCurrentMethod().DeclaringType.Name' is made
    within an ascx file which is a header that i place on every page. Will
    ..Name return the class name of the control or thepage that contains it?

    Thanks

    Matt


    "Raymond Lewallen" <> wrote in message
    news:...
    > > Although this would work, it does require that each page knows ahead of

    > time
    > > what its SystemTask name is.

    >
    > I do something very similar. Each user logs into the application under a
    > particular roleId. For the SystemTask name, I use the class name of the
    > code behind page. These SystemTasks and roleIds are cross-referenced in a
    > table that I perform a lookup against. If a record is found, they can see
    > the page and I record the audit data, otherwise if no record, no can see
    > page.
    >
    > To get the name of the class you are currently working in, use:
    >
    > System.Reflection.MethodBase.GetCurrentMethod().DeclaringType.Name
    >
    > This is how I solve knowing what the SystemTask is ahead of time, as each
    > aspx page is a task in our system.
    >
    > HTH,
    >
    > Raymond Lewallen
    >
    >
    MattC, May 25, 2004
    #3
  4. MattC

    Prodip Saha Guest

    Security is something very important and most of us(developers) normally
    don't pay attention at the beginning. PreRequestHandlerExecute event in the
    Global.cs file is a good place to validate the user. Visual Studio .NET by
    default don't add this event handler in the Global.cs file so you will have
    to add it. One must pass through this event handler for every http request
    and it is easy to get the url and other user related information in this
    event.

    To extend this further--you can even find out who is accessing what page and
    when....don't like user X redirect him/her to a designated page...the list
    can go on.

    protected void Application_PreRequestHandlerExecute(Object sender, EventArgs
    e)
    {
    string sUrl=HttpContext.Current.Request.RawUrl;
    if(sUrl.LastIndexOf("/")!=0)
    {
    sUrl=sUrl.Substring(sUrl.LastIndexOf("/")+1);
    }
    string sUserName=HttpContext.Current.User.Identity.Name;
    }

    Hope that helps.
    Prodip Saha

    "MattC" <> wrote in message
    news:...
    > Hi,
    >
    > I have a requirement that security be devised at page level, I'm am also
    > required to keep an audit trail of who performed what action, when and

    what
    > on.
    >
    > My current solution is as follows:
    >
    > Create 5 DB tables: Users, SecurityProfiles, SystemTasks,

    TasksProfileLinks,
    > Audit.
    >
    > For this to work each user is given a securityprofileID, a security

    profile
    > is told which SystemTasks can be performed (via the TasksProfileLinks
    > table). As each ASPX page loads it will have hardcoded the name of the
    > Systemtasks it is designed to perform. It will then take the current
    > sessions SecurityProfileID and determine if this user is allowed to view

    the
    > page, if not then a redirect takes place and the UserID, SystemTask,
    > DateTime are entered into the audit table.
    >
    > Although this would work, it does require that each page knows ahead of

    time
    > what its SystemTask name is.
    >
    > Has anyone done something similar to this before and have a better
    > implementation.
    >
    > Thanx in advance.
    >
    > Matt
    >
    >
    Prodip Saha, May 25, 2004
    #4
  5. Problem I ran into originally. It will return the class name of the ascx.
    I have an SecurityControl.ascx file, but pass the calling class name as a
    parameter into the SecurityControl function that does the validating.

    "MattC" <> wrote in message
    news:%...
    > Raymond,
    > Cool solution. Here's a question.
    >
    > If the call to
    > 'System.Reflection.MethodBase.GetCurrentMethod().DeclaringType.Name' is

    made
    > within an ascx file which is a header that i place on every page. Will
    > .Name return the class name of the control or thepage that contains it?
    >
    > Thanks
    >
    > Matt
    >
    >
    > "Raymond Lewallen" <> wrote in message
    > news:...
    > > > Although this would work, it does require that each page knows ahead

    of
    > > time
    > > > what its SystemTask name is.

    > >
    > > I do something very similar. Each user logs into the application under

    a
    > > particular roleId. For the SystemTask name, I use the class name of the
    > > code behind page. These SystemTasks and roleIds are cross-referenced in

    a
    > > table that I perform a lookup against. If a record is found, they can

    see
    > > the page and I record the audit data, otherwise if no record, no can see
    > > page.
    > >
    > > To get the name of the class you are currently working in, use:
    > >
    > > System.Reflection.MethodBase.GetCurrentMethod().DeclaringType.Name
    > >
    > > This is how I solve knowing what the SystemTask is ahead of time, as

    each
    > > aspx page is a task in our system.
    > >
    > > HTH,
    > >
    > > Raymond Lewallen
    > >
    > >

    >
    >
    Raymond Lewallen, May 25, 2004
    #5
  6. MattC

    MattC Guest

    Raymond,

    The only problem i see with this is that it means you have to have one page
    per system feature. For example. Say I wished to have one page that
    handled viewing certain data but that would also be used for editing that
    same data. Given this solution the call would return the same class name if
    you were editing or viewing the data, I need that distinction but without
    having a page for viewing a page for editing, etc.

    MattC


    "Raymond Lewallen" <> wrote in message
    news:...
    > Problem I ran into originally. It will return the class name of the ascx.
    > I have an SecurityControl.ascx file, but pass the calling class name as a
    > parameter into the SecurityControl function that does the validating.
    >
    > "MattC" <> wrote in message
    > news:%...
    > > Raymond,
    > > Cool solution. Here's a question.
    > >
    > > If the call to
    > > 'System.Reflection.MethodBase.GetCurrentMethod().DeclaringType.Name' is

    > made
    > > within an ascx file which is a header that i place on every page. Will
    > > .Name return the class name of the control or thepage that contains it?
    > >
    > > Thanks
    > >
    > > Matt
    > >
    > >
    > > "Raymond Lewallen" <> wrote in

    message
    > > news:...
    > > > > Although this would work, it does require that each page knows ahead

    > of
    > > > time
    > > > > what its SystemTask name is.
    > > >
    > > > I do something very similar. Each user logs into the application

    under
    > a
    > > > particular roleId. For the SystemTask name, I use the class name of

    the
    > > > code behind page. These SystemTasks and roleIds are cross-referenced

    in
    > a
    > > > table that I perform a lookup against. If a record is found, they can

    > see
    > > > the page and I record the audit data, otherwise if no record, no can

    see
    > > > page.
    > > >
    > > > To get the name of the class you are currently working in, use:
    > > >
    > > > System.Reflection.MethodBase.GetCurrentMethod().DeclaringType.Name
    > > >
    > > > This is how I solve knowing what the SystemTask is ahead of time, as

    > each
    > > > aspx page is a task in our system.
    > > >
    > > > HTH,
    > > >
    > > > Raymond Lewallen
    > > >
    > > >

    > >
    > >

    >
    >
    MattC, May 26, 2004
    #6
  7. Matt,

    Yes, in your scenario, I do see your problem. You may get stuck with static
    task names hard coded into the class depending on the current function the
    user is performing, of which the code for both tasks are contained.

    Sorry I don't have any further input at the moment, if I come up with
    something else, I'll post back.

    Raymond Lewallen

    "MattC" <> wrote in message
    news:...
    > Raymond,
    >
    > The only problem i see with this is that it means you have to have one

    page
    > per system feature. For example. Say I wished to have one page that
    > handled viewing certain data but that would also be used for editing that
    > same data. Given this solution the call would return the same class name

    if
    > you were editing or viewing the data, I need that distinction but without
    > having a page for viewing a page for editing, etc.
    >
    > MattC
    >
    >
    > "Raymond Lewallen" <> wrote in message
    > news:...
    > > Problem I ran into originally. It will return the class name of the

    ascx.
    > > I have an SecurityControl.ascx file, but pass the calling class name as

    a
    > > parameter into the SecurityControl function that does the validating.
    > >
    > > "MattC" <> wrote in message
    > > news:%...
    > > > Raymond,
    > > > Cool solution. Here's a question.
    > > >
    > > > If the call to
    > > > 'System.Reflection.MethodBase.GetCurrentMethod().DeclaringType.Name'

    is
    > > made
    > > > within an ascx file which is a header that i place on every page.

    Will
    > > > .Name return the class name of the control or thepage that contains

    it?
    > > >
    > > > Thanks
    > > >
    > > > Matt
    > > >
    > > >
    > > > "Raymond Lewallen" <> wrote in

    > message
    > > > news:...
    > > > > > Although this would work, it does require that each page knows

    ahead
    > > of
    > > > > time
    > > > > > what its SystemTask name is.
    > > > >
    > > > > I do something very similar. Each user logs into the application

    > under
    > > a
    > > > > particular roleId. For the SystemTask name, I use the class name of

    > the
    > > > > code behind page. These SystemTasks and roleIds are

    cross-referenced
    > in
    > > a
    > > > > table that I perform a lookup against. If a record is found, they

    can
    > > see
    > > > > the page and I record the audit data, otherwise if no record, no can

    > see
    > > > > page.
    > > > >
    > > > > To get the name of the class you are currently working in, use:
    > > > >
    > > > > System.Reflection.MethodBase.GetCurrentMethod().DeclaringType.Name
    > > > >
    > > > > This is how I solve knowing what the SystemTask is ahead of time, as

    > > each
    > > > > aspx page is a task in our system.
    > > > >
    > > > > HTH,
    > > > >
    > > > > Raymond Lewallen
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >
    Raymond Lewallen, May 26, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kona
    Replies:
    0
    Views:
    526
  2. David Smith
    Replies:
    2
    Views:
    378
    Shane Petroff
    Jul 24, 2003
  3. JimLad
    Replies:
    0
    Views:
    339
    JimLad
    Sep 12, 2006
  4. Ken Fine
    Replies:
    4
    Views:
    422
    Steven Cheng
    Feb 26, 2008
  5. Replies:
    3
    Views:
    97
    Peter J. Holzer
    Apr 22, 2006
Loading...

Share This Page