N
nugget
Role-based security for an ASP/ASP.NET mixed environment
Hello:
My co-worker and I have been charged with designing role-based security
for our intranet. The technologies we have to work with are ASP and
ASP.NET. This security design must support *both* technologies.
Currently, we have a successful collection of both ASP and ASP.NET
applications with an identical look and feel; you'd only know they are
different by virtue of an ASP or and ASPX file extension. These
applications all support a common authentication scheme implemented
through cookies. This scheme is simple and very low-security: check
for a "userID" cookie with a well-known name. While we plan to tighten
this up (using some sort of encrypted token/userID combo), our problem
lies in how we need to use roles.
If this were a pure ASP.NET site, I don't think we'd have as much
trouble as I anticipate, however we need to support the classic ASP
side as well. We plan on implementing the actual application security
roles in Active Directory groups with well-known names. For example,
"East Coast Office Project Editor" and "Checking Account
Administrator". Although individual users will (optimally) most likely
be placed in only one group (e.g. "Central Office, Dept. B, Teller
Position 3"), through multiple group containment they could conceivably
be indirect members of hundreds of application roles. The problem I
foresee is that of performance. For a highly role-based application,
each page refresh is going to have to ask whether the current user is a
member of roles A, B, F, Q, and X; this in order to allow or deny
access to the page itself, certain sections, edit or read-only, and
even field-level access. So, I'm worried that it may not be the best
idea to be directly querying AD 10, 20 times on every page refresh.
Assuming that this scenario is not acceptable, I would think the only
other way is to somehow cache the collection of direct and indirect
roles to which the logged-in user is a member.
At this point, I have to think of the best way to do this not only for
ASP.NET, but also for ASP. Ignoring ASP, I suppose there is the
possibility of performing this query for all the user's roles and then
stuffing this in a session-based dictionary/hashtable/whatever for
quick lookup. Then, if the user is a member of 100s of roles, I have
to worry about 40-50 concurrent sessions, each with all these roles.
What kind of performance am I going to get out of session with this
much data? Ignoring that, how do I implement the same thing in ASP?
At this point, you may be thinking I'm an amateur ... and I certainly
would not disagree with you, at least from a security standpoint. So I
think about how exactly these roles are "queried" by the application.
While having the list easily at hand while the page is executing, I
figure the only question that has to be answered (granted, many times
in succession) is "Is the current user a member of role QPR?" I don't
ever really need to have a list of roles and I don't need to go through
the list and display their names. Mainly, I just need this very simple
boolean pseudo code: "IsMember( userName, roleName )". Again here,
please don't flame me for my amateurishness, but isn't there a way to
encode or encrypt those group names with the user name into a
relatively small block of data and just "query" the block with the user
name and group name and get back a yes or no if they "jive"? Is this
what's called a hash or a token? Or does this even exist?
If I'm not making myself clear here, I mainly want to take a user and
the known groups of which s/he is a member. Then, mathematically or
cryptographically "melt" them all together into a small block of data
for storage and easy querying. The pseudo code would look something
like IsMember( userName, groupName, AUTHORIZATION_BLOCK ) and get back
a boolean. The AUTHORIZATION_BLOCK would be this "melted" block of
data that was created from the combination of the user and the groups.
This AUTHORIZATION_BLOCK would be small enough to fit into ASP session,
which I've heard it is dangerous to store objects to.
Am I over-engineering here? Am I looking for the wrong thing? Are the
multiple queries to AD for every page refresh not as expensive as I
think it will be?
Hello:
My co-worker and I have been charged with designing role-based security
for our intranet. The technologies we have to work with are ASP and
ASP.NET. This security design must support *both* technologies.
Currently, we have a successful collection of both ASP and ASP.NET
applications with an identical look and feel; you'd only know they are
different by virtue of an ASP or and ASPX file extension. These
applications all support a common authentication scheme implemented
through cookies. This scheme is simple and very low-security: check
for a "userID" cookie with a well-known name. While we plan to tighten
this up (using some sort of encrypted token/userID combo), our problem
lies in how we need to use roles.
If this were a pure ASP.NET site, I don't think we'd have as much
trouble as I anticipate, however we need to support the classic ASP
side as well. We plan on implementing the actual application security
roles in Active Directory groups with well-known names. For example,
"East Coast Office Project Editor" and "Checking Account
Administrator". Although individual users will (optimally) most likely
be placed in only one group (e.g. "Central Office, Dept. B, Teller
Position 3"), through multiple group containment they could conceivably
be indirect members of hundreds of application roles. The problem I
foresee is that of performance. For a highly role-based application,
each page refresh is going to have to ask whether the current user is a
member of roles A, B, F, Q, and X; this in order to allow or deny
access to the page itself, certain sections, edit or read-only, and
even field-level access. So, I'm worried that it may not be the best
idea to be directly querying AD 10, 20 times on every page refresh.
Assuming that this scenario is not acceptable, I would think the only
other way is to somehow cache the collection of direct and indirect
roles to which the logged-in user is a member.
At this point, I have to think of the best way to do this not only for
ASP.NET, but also for ASP. Ignoring ASP, I suppose there is the
possibility of performing this query for all the user's roles and then
stuffing this in a session-based dictionary/hashtable/whatever for
quick lookup. Then, if the user is a member of 100s of roles, I have
to worry about 40-50 concurrent sessions, each with all these roles.
What kind of performance am I going to get out of session with this
much data? Ignoring that, how do I implement the same thing in ASP?
At this point, you may be thinking I'm an amateur ... and I certainly
would not disagree with you, at least from a security standpoint. So I
think about how exactly these roles are "queried" by the application.
While having the list easily at hand while the page is executing, I
figure the only question that has to be answered (granted, many times
in succession) is "Is the current user a member of role QPR?" I don't
ever really need to have a list of roles and I don't need to go through
the list and display their names. Mainly, I just need this very simple
boolean pseudo code: "IsMember( userName, roleName )". Again here,
please don't flame me for my amateurishness, but isn't there a way to
encode or encrypt those group names with the user name into a
relatively small block of data and just "query" the block with the user
name and group name and get back a yes or no if they "jive"? Is this
what's called a hash or a token? Or does this even exist?
If I'm not making myself clear here, I mainly want to take a user and
the known groups of which s/he is a member. Then, mathematically or
cryptographically "melt" them all together into a small block of data
for storage and easy querying. The pseudo code would look something
like IsMember( userName, groupName, AUTHORIZATION_BLOCK ) and get back
a boolean. The AUTHORIZATION_BLOCK would be this "melted" block of
data that was created from the combination of the user and the groups.
This AUTHORIZATION_BLOCK would be small enough to fit into ASP session,
which I've heard it is dangerous to store objects to.
Am I over-engineering here? Am I looking for the wrong thing? Are the
multiple queries to AD for every page refresh not as expensive as I
think it will be?