Rule based security using Microsoft Enterprise Library and CAS


Introduction

Rule based security is a very effective way to authorize your code, and code access security is a clean, easy to use and effective way to handle the security validation.

The Enterprise Library Security Application Block provides a configurable way to handle Rule based security.

In this article I’ll explain a solution to secure web applications using custom membership and role providers with the Enterprise Library Security Application Block and code access security.

You need the Enterprise Library installed.

Using the code

First, we need to implement our custom membership provider, in this example I’ll just use static code to explain the provider [Not going to the database or anything].

For this sample I just need to implement the following method:

public override bool ValidateUser(string username, string password)
        {
            return true;
        }

Then, we need to implement our custom role provider.

I just need the following to implement methods:

public override string[] GetRolesForUser(string username)
{
            return SecurityProvider.GetRolesForUser(username);}

public override bool IsUserInRole(string username, string roleName)
{
            return SecurityProvider.IsUserInRule(HttpContext.Current.User, roleName);}

Sure, you can build your own providers with a custom database.

Now, Let’s have a look on the [SecurityProvider] class:

public class SecurityProvider{
        public static bool IsUserInRule(IPrincipal principal, string ruleName)
        {
            IAuthorizationProvider authorizationProvider = AuthorizationFactory.GetAuthorizationProvider();
            return authorizationProvider.Authorize(principal, ruleName);
        }

        public static string[] GetRolesForUser(string username)
        {
            switch (username.ToLower())
            {
                case ("admin"):
                    return new string[] { "Admin" };

                case ("manager"):
                    return new string[] { "Manager" };

                case ("user"):
                    return new string[] { "User" };

                default:
                    return new string[] { "" };

            }
        }
    }

I use the Enterprise Library Security Application Block to make the validation on the rules from the configuration file.

Then, we need to implement a custom CAS permission and attribute like the following [Not implemented functions removed from the next code section but is available in the source code]

public class RulesSecurityPermission : IPermission
    {

        private string _rule;
        public string Rule
        {
            get
            {
                return this._rule;
            }
            set
            {
                this._rule = value;
            }
        }

        public RulesSecurityPermission(string roleName)
        {
            _rule = roleName;
        }

        void IPermission.Demand()
        {
            if (!SecurityProvider.IsUserInRule(Thread.CurrentPrincipal, Rule))
                throw new SecurityException();
        }
    }
public class RulesSecurityPermissionAttribute : CodeAccessSecurityAttribute
    {
        public RulesSecurityPermissionAttribute(SecurityAction action)
            : base(action)
        {
            
        }

        public override IPermission CreatePermission()
        {
            return new RulesSecurityPermission(Rule);
        }
        
        private string _role;
        public string Rule
        {
            get
            {
                return this._role;
            }
            set
            {
                this._role = value;
            }
        }
    }

Now, let’s have a look on the configurations file:

<configuration>
  <configSections>
    <section name="securityConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Security.Configuration.SecuritySettings, Microsoft.Practices.EnterpriseLibrary.Security, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
  </configSections>
  <securityConfiguration defaultAuthorizationInstance="RuleProvider" defaultSecurityCacheInstance="">
    <authorizationProviders>
      <add type="Microsoft.Practices.EnterpriseLibrary.Security.AuthorizationRuleProvider, Microsoft.Practices.EnterpriseLibrary.Security, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
        name="RuleProvider">
        <rules>
          <add expression="R:Admin" name="Administratoin" />
          <add expression="R:Admin OR R:Manager" name="Management" />
          <add expression="R:Manager OR R:User" name="Usage" />
        </rules>
      </add>
    </authorizationProviders>
  </securityConfiguration>

  <system.web>
    
    <compilation debug="true" />
    
    <authentication mode="Forms">
      <forms loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx">
      </forms>
    </authentication>
    
    <authorization>
      <deny users="?"/>
    </authorization>
    
    <membership defaultProvider="CustomMembershipProvider">
      <providers>
        <clear/>
        <add name="CustomMembershipProvider" type="Shokr.Security.RuleBasedSecurity.CustomMembershipProvider"/>
      </providers>
    </membership>
    
    <roleManager defaultProvider="CustomRolesProvider" enabled="true">
      <providers>
        <clear/>
        <add name="CustomRolesProvider" type="Shokr.Security.RuleBasedSecurity.CustomRolesProvider" />
      </providers>
    </roleManager>
    
    </system.web>
</configuration>

In the above code, I had registered the [AuthorizationRuleProvider] from the Enterprise Library and configured our custom membership and roles providers.

Finally, this is the sample in action:

Navigate to the login page, and login with [admin] and any password.

image

You will be redirected to the default page:

image

Click on [Administrative function], you will see that the method executed successfully

image

Click on [User function], you will see security error:

image

Sample project

I hope that helped

Ahmed

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s