Application Development
Application Standards
Enterprise Library Application Blocks
Application Unit Testing

Security Application Block Details

1. Introduction

The security application block has been designed to address the following areas.

  • Authorisation
  • Role management
  • Profile management
  • Caching principals ( Caching profile information and security-related credentials )

The security application block focuses on a role-based security model. The Security Application Block simplifies these tasks by handling them in a consistent manner and abstracting the application code from the specific security providers. Authentication, Authorisation, Roles and Profile Providers can work completely independently of one another but they are closely related. Underlying providers are changed through configuration changes without changing the underlying application code.

Supplied Security Application Block Providers
Action Provider
Authorisation
  • Authorisation Rule Provider
  • AzMan Provider (Authorization Manager)
Security Cache
  • Cache Store Provider ( Using the cache application block as its cache manager )

The tasks that each provider accomplishes are defined by its interface. The Security Application block ships with providers for common systems, however developers can create their own providers (custom provider) to interface with other systems.

Authentication depends upon the MembershipProvider from System.Web.Security namespace

Membership Providers For Authentication
Action Provider
Authentication
  • SQL Membership Provider
  • Active Directory Membership Provider

Note: SQL Membership Provider relies on the existence of a specific database schema to function properly.

 

Back to top

2. Usage

References

To use security application block add the following reference assembly to the project or to the GAC

Microsoft.Practices.EnterpriseLibrary.Security.dll

and the core assemblies

Microsoft.Practices.EnterpriseLibrary.Common.dll
Microsoft.Practices.ObjectBuilder.dll

If the application is configured to use the AzManProvider add the following reference assembly to the project or to the GAC

Microsoft.Practices.EnterpriseLibrary.Security.AzMan.dll
Microsoft.Interop.Security.AzRoles.dll

Note: need to add information about AzMan.msc referencing to the Microsoft article....

Namespaces

The following namespace needs to  be included in the classes that use the security block.

Imports Microsoft.Practices.EnterpriseLibrary.Security

If the class uses the security AzMan provider

Imports Microsoft.Practices.EnterpriseLibrary.Security.AzMan

If the class uses the security cache

Imports Microsoft.Practices.EnterpriseLibrary.Security.Cache
 

Back to top

3. Diagrams

Back to top

4. IAuthorizationProvider and Authorize Function

Definition

The application block includes two implementations of the authorisation provider interface.

  • AuthorizationRuleProvider
  • AzManAuthorizationProvider

A single method Authorize is exposed using this interface.

Method - Authorize

Function Authorize ( ByVal principal As IPrincipal, ByVal context As String ) As Boolean

An IPrincipal ( System.Security.Principal ) object represents the security context of the user on whose behalf the code is running. This object includes the user's identity, which is defined by an implementation of the IIdentity interface ( System.Security.Principal ), and any roles to which the user belongs.

The second parameter is a string that is specific to the authorisation provider. Role, Rule, Task or Operation

Example

Simple authorize function
'User in this context is Asp.net login user instance of IPrincipal.
Authorize ( System.Web.UI.Page.User, "Admin")
 

Back to top

5. Creating an Authorization Provider Instance Using AuthorizationFactory

Definition

The AuthorizationFactory uses the supplied configuration information to determine the type of provider object to construct

Method - GetAuthorizationProvider

The GetAuthorizationProvider method returns an IAuthorizationProvider object determined by the configuration information.

Example

Create default authorization provider
'Returns default instance of the provider from the configuration file
Dim ruleProvider as IAuthorizationProvider = AuthorizationFactory.GetAuthorizationProvider ( )
Create type authorization provider
'Returns Authorization rule provider instance
Dim ruleProvider as IAuthorizationProvider = AuthorizationFactory.
    GetAuthorizationProvider("RuleProvider")
 

Back to top

6. AuthorizationRuleProvider Or Authorise By Rule

Definition

The AuthorizationRuleProvider implementation validates expressions against rules that you create using the Rule Expression Editor within the configuration console. The rules are strings that contain tokens and values. When you configure your application to use the AuthorizationRuleProvider the Authorize method accepts a rule name as the context parameter.

Create an authorisation provider by calling the static GetAuthorizationProvider() or GetAuthorizationProvider(ByVal ruleprovider as string) method on AuthorizationFactory. Call the Authorize method on the authorization provider.

Method - Authorize

Function Authorize ( ByVal principal As IPrincipal, ByVal context As String ) As Boolean

An IPrincipal ( System.Security.Principal ) object represents the security context of the user on whose behalf the code is running. This object includes the user's identity, which is defined by an implementation of the IIdentity interface ( System.Security.Principal ), and any roles to which the user belongs.

The second parameter is a string that is specific to the authorization provider. Rule

Example

Authorisation Rule Provider
Dim authRuleProvider as IAuthorizationProvider = AuthorizationFactory
    .GetAuthorizationProvider ( )

'User in this context is Asp.net login user instance of IPrincipal.
Dim isAuthorized as Boolean = authRuleProvider.Authorize ( System.Web.UI.Page.User,
    "PrintDocument" )
 

Back to top

7. Defining a Rule Expression for AuthorizationRuleProvider

Definition

A rule expression is the aggregate of different Boolean expressions and returns a single Boolean result. AuthorizationRuleProvider is able to apply an entity's Principal against any representation using this grammar and arrive at a single Boolean value that indicates whether authorisation is successful or not.

Method


Boolean Expression Token
Word Expression --
Identity Expression I:
Role Expression R:
Anonymous Expression ?
Any Expression *
Not Operator NOT
And Operator AND
Or Operator OR

Example

Rule expression in configuration
<!-- Means rule allows Manager, Admin, Employee roles not Anonymous -->
(R:Manager OR R:Admin OR R:Employee) AND NOT I:?
 

Back to top

8. AzManAuthorizationProvider Or Authorize By Task Or Opertaion

Definition

An operation is a low-level computer action and a Task is a group of operations. When you configure your application to use the AzManAuthorizationProvider the Authorize method accepts operations or tasks as the context parameter

Create an authorisation provider by calling the static GetAuthorizationProvider() or  GetAuthorizationProvider(ByVal ruleprovider as string) method on AuthorizationFactory. Call the Authorize method on the authorisation provider.

Method

Function Authorize ( ByVal principal As IPrincipal, ByVal context As String ) As Boolean

An IPrincipal ( System.Security.Principal ) object represents the security context of the user on whose behalf the code is running. This object includes the user's identity, which is defined by an implementation of the IIdentity interface ( System.Security.Principal ), and any roles to which the user belongs.

The second parameter is a string that is specific to the authorization provider. Rule

Example

Authorization Rule Provider
Dim authRuleProvider as IAuthorizationProvider = _
                 AuthorizationFactory.GetAuthorizationProvider("AzManProvider")

'User in this context is Asp.net login user instance of IPrincipal.
Dim isAuthorized as Boolean = authRuleProvider.Authorize ( System.Web.UI.Page.User, "Print" )
 

Back to top

9. Declaring security application block configuration section-handler

Section

The section-handler declaration contains the name of the configuration settings section and the name of the section-handler classes that processes configuration data in that section.

The name of the configuration settings section is securityConfiguration. The names of the section-handler classes are Microsoft.Practices.EnterpriseLibrary.Security.Configuration.SecuritySettings and Microsoft.Practices.EnterpriseLibrary.Security.

Example

<configSections>
    <
section name="securityConfiguration"
                type="Microsoft.Practices.EnterpriseLibrary.Security.Configuration.SecuritySettings, Microsoft.Practices.EnterpriseLibrary.Security, Version=3.1.0.0, Culture=neutral, PublicKeyToken=null" />
</
configSections>

 

Back to top

10. Authorization Providers Configuration

Section

The authorizationProviders element is a child of the securityConfiguration element. It contains the definition of the authorisation providers that can be used within the application.

Use enterprise library configuration graphical tool installed with enterprise application blocks to create, change and validate application block settings without having to manually edit the XML configuration files.

Example AzMan Authorization Provider

<securityConfiguration defaultAuthorizationInstance="RuleProvider" defaultSecurityCacheInstance="Caching Store Provider">
    <
authorizationProviders>
        <
add storeLocation="msxml://C:AzManStore.xml"
               application="SecurityDemo"
               scope=""
               auditIdentifierPrefix="AzMan Authorization Provider"
               type="Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider, Microsoft.Practices.EnterpriseLibrary.Security.AzMan, Version=3.1.0.0, Culture=neutral, PublicKeyToken=null"
               name="AzManXMLProvider" />
    </
authorizationProviders>
</
securityConfiguration>

Example Authorization Rule Provider

<securityConfiguration defaultAuthorizationInstance="RuleProvider" defaultSecurityCacheInstance="Caching Store Provider">
    <
authorizationProviders>
        <
add type="Microsoft.Practices.EnterpriseLibrary.Security.AuthorizationRuleProvider, Microsoft.Practices.EnterpriseLibrary.Security, Version=3.1.0.0, Culture=neutral, PublicKeyToken=null"
               name="RuleProvider">
            <
rules>
                <
add expression="R:Admin AND NOT I:?" name="DeleteFile" />
                <
add expression="(R:Manager OR R:Admin OR R:Employee) AND NOT I:?" name="PrintDocument" />
                <
add expression="(R:Admin OR R:Manager) AND NOT I:?"name="UploadFile" />
            </
rules>
        </
add>
    </
authorizationProviders>
</
securityConfiguration>

 

Back to top

11. Deployment

Guideline

The Security Application Block is comprised of multiple assemblies. Each assembly belonging to the Security Application Block has a file name that begins with Microsoft.Practices.EnterpriseLibrary.Security.

Additionally, the application block depends on the Enterprise Library Core. Depending on the configuration of the application using the application block, it may also require the Data Access Application Block and Caching Application Block assemblies.

Applications that use the Security Application Block can be deployed in one of two configurations:

  • They can be deployed as private assemblies in the application folder hierarchy.
  • They can be deployed as shared assemblies in any file system location or in the global assembly cache

 

 

Back to top

12. References

Security Application Block  msdn2.microsoft.com/en-us/library/aa480465.aspx

Download Enterprise Application Block 3.1   www.microsoft.com/downloads/details.aspx?familyid=4c557c63-708f-4280-8f0c-637481c31718&displaylang=en

 

Back to top

13. Demo source code

The sample below demonstrates some common uses of the Security Application Block. In order to run this demonstration the following prerequisites are needed.

  • Microsoft Enterprise Library 3.1 May 2007
  • Access to the ASPNETDB database. View instructions on setting up this database  msdn2.microsoft.com/en-us/library/aa479307.aspx
  • The configuration needs to be changed to ensure the connection string LocalPolicyStore is pointing to the file AzManStore.xml found in the project directory

To run the sample simply unzip to a known location and open the file SecurityDemo.sln in Visual Studio .NET then read the file Readme.txt before running

Download Security Application Block sample (ZIP - 202KB)

 

Back to top