|
|
March 2004 - Posts
-
Now, the Windows Server 2003 Authorization Manager exposes a COM API, which has the unfortunate name, AzMan , that can be used to query the authorization store at run-time to identify the operations that a current user is permitted to perform. Specifically, Read More...
|
-
So, let us follow these four steps to populate the authorization store for our application. We begin by creating operations that map to menu options and buttons on the main form of the application. An additional operation, called, Miscellaneous , is created Read More...
|
-
Once one has created an authorization store, one can proceed to use the Management Console snap-in to populate that store for that application. There are four steps to complete. One begins by defining operations. Those are atomic actions that a user can Read More...
|
-
So much for the user authentication requirements of application security; what about user authorization? Most applications have user interfaces with menus, button bars and buttons and we often want to restrict users' access to those operations based on Read More...
|
-
Here is the code for the main form of our Smart Client that handles the event of the user changing his or her language preference. private bool fLanguage_Switch(string sLanguage, System.Windows.Forms.MenuItem rMenuItem) { try { if(!(frmMain.fLanguage_CheckMenuItem(rMenuItem))) Read More...
|
-
Back in the code for the start-up of the primary form of the Smart Client, static void Main (string[] asArguments) { Hashtable rArguments = null; try { rArguments = CUtility.rParseCommandLineArguments(asArguments,frmMain.c_sArgumentSeparator_Prefix,frmMain.c_sArgumentSeparator_Suffix); Read More...
|
-
The Authentication Web Service is configured for Windows Authentication, so the credentials are automatically encrypted and validated against the Active Directory for the domain. As we know already, though, not all of the users identified in Active Directory Read More...
|
-
I've been working on a Compact Framework application this week. My most-excellent colleague, Rockin' Ryan Storgaard (go read his blog instead of mine) referred me to SOTI ( www.soti.net ) 's terrific Pocket Controller tool. It displays the screen of your Read More...
|
-
Alright: at this point we have the foundation of our user authentication strategy set up. Let see how our application actually authenticates its users. We’ll begin at the entry point of the application, the static Main method of the primary form. Read More...
|
-
Everything is now in place for the users in the YourApplicationUsers group within Active Directory to be provisioned in ADAM . So, we go to the MIIS Identity Manager and clear out the connector spaces for the ADAM and Active Directory management agents. Read More...
|
-
Remember, however, that we don’t want all of the users in Active Directory provisioned in ADAM , but only those that belong to the YourApplicationUsers group within Active Directory, yet nothing in the code for our meta-verse rule extension checked Read More...
|
-
Now, our MIIS management agents can be configured to do either imports or exports when they execute. Importing means, as one might expect, moving objects into the connector space and potentially projecting them into the meta-verse. Exporting means moving Read More...
|
-
Let’s start with the basic problem of how to provision users in ADAM that exist in Active Directory. The solution lies in MIIS rule extensions . Rule extensions are .NET DLLs with classes that implement either one of two interfaces defined in the Read More...
|
-
At this point, let’s return to our scenario. Remember that our client organization has Active Directory as its directory service, while our application uses ADAM as its user data repository. Everyone in the organization is catalogued in the Active Read More...
|
-
Terrific Ted Neward was kind enough to post a link to my ongoing Application Security series on the ServerSide.NET. Thanks, Ted: I've read your stuff too, and I'm a huge fan. Anyone who is reading my blog should be reading his instead! Read More...
|
-
Okay: so now that we have our ADAM directory service configured for TaskVision II, thereby completing the first step in our deployment of that application. The next step, you will recall, was that of setting up a channel of communication to ADAM from Read More...
|
-
I would like to mention to you that a tool that I find invaluable for working with both Active Directory and ADAM is the simple Active Directory Service Viewer, ADSVW.EXE , that shipped with the Windows 2000 Resource Kit. When you absolutely, positively Read More...
|
-
Manipulating ADAM programmatically can be a little challenging. First, the documentation that is installed with ADAM does not cover its programming interfaces. However, that documentation can be found within MSDN, under Networking and Directory Services. Read More...
|
-
So, that is the theory of how ADAM, MIIS, and Authorization Manager can facilitate application security. Let's see how they work together in practice. For that purpose, let us assume that we are a software vendor selling an applicationI to an organization, Read More...
|
-
Darrell wrote: If the organization you are developing for does have a directory service, but you need to modify the schema. In those cases, I have relied on AD for authentication, and then additional attributes linking userIDs to permissions for authorization. Read More...
|
-
COM+ provided an infrastructure for role-based security. With role-based security, users are grouped according to their function, and are assigned permissions to perform abstract operations, each of which may involve a number of actions performed on a Read More...
|
-
So, what we would really like to be able to do in administering permissions for an application is the following: · we would like to be able to define abstract operations for which we would want to control authorization, abstract operations that we Read More...
|
-
The .NET Framework Class Library provides authorization facilities in its System.Security.Principal namespace. It defines an interface, IPrincipal , that incorporates a method, IsInRole , that one can use for manual authorization checks. For example, Read More...
|
-
Now, we said that application security was about authentication—controlling who accessed your application—as well as about authorization—controlling what folk who were permitted access would be allowed to do. ADAM and MIIS are the tools Read More...
|
-
Access control lists are available in Windows NT, Windows 2000, Windows XP and Windows Server 2003. They provide for what may be described as object-centric authorization, in which permissions are associated with objects, such as files and folders. Object-centric Read More...
|
-
Now, let’s step back to ADAM and merge MIIS into the picture. Data for the users of our application is stored in ADAM. When our application is deployed in an enterprise with one or more directory services, then MIIS can be used to get the data for Read More...
|
-
What we are hearing from our customers is that they want their applications to become better corporate citizens. They want them to rely on user data in a global directory service, rather than adding their own proprietary repository of that data to the Read More...
|
-
Now, of course, you are thinking that if the problem with storing my data in my relational database was that it added yet another repository of user data to the enterprise, thereby magnifying the effort required of them to administer their users, well, Read More...
|
|
|
|
