User-Based Security

Team-Fly    

 
Application Development Using Visual Basic and .NET
By Robert J. Oberg, Peter Thorsteinson, Dana L. Wyatt
Table of Contents
Chapter 16.  Security


User -Based Security

From the perspective of traditional user-based security, the authentication question is, Who is the identity attempting to do the action? An identity is typically a user or group name . Credentials are what the users present to prove who they are. Credentials are evidence presented for verification of identity. A credential might be your password, a smart card, or a biometric device. The users' credentials must be verified with some security authority. An example of this is verification of the user's password against his or her login name based on a database of user names and encrypted passwords. Systems that allow unverified access are said to allow anonymous access. In security lingo, an identity that can be authenticated is referred to as a principal .

The authorization question is, Can the identity perform the action it is attempting? The principal is then compared against some list of rights to determine whether access is granted or denied . For example, when you access a file, your user name is compared with an ACL for the action you want to do to determine if you can access the file. Of course, access is not always all or nothing. For example, you might have read, but not modify, rights to a file.

In a client/server or multitier architecture, the identity under which the server executes is often very powerful, and you typically want to restrict the ability of the client that makes a request on the server to some subset of privileges that the server has. In other cases, such as anonymous access, the server may not know who the client really is and must act accordingly . In these situations, the server can impersonate the client so that the privileges are limited to those of the client. In other words, code executes under the identity of the client instead of the server. In the case of anonymous access, the server runs under the identity of some preset user account with carefully selected privileges. Windows security and ASP.NET security are based on the concepts of user-based security.


Team-Fly    
Top
 


Application Development Using Visual BasicR and .NET
Application Development Using Visual BasicR and .NET
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 190

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net