Chapter 4 -- Impersonation APIs

Chapter 4

Who are you? This question is more than just a song by The Who. Who you are, or who the user of your service is, can make a difference in how a server should react . Let's say you have a database server that accesses files on the server on behalf of the user at the client workstation. Usually the server has full access rights to all of the resources on the server, such as files and the registry. Should the server use all of those rights on behalf of any user who happens to connect? Probably not.

Once you've decided that the server should not simply allow its clients to have free reign of the system, you must decide how to restrict the client's access to resources on behalf of the server. Several possibilities exist, and most servers use some or all of these methods to allow or disallow access to resources.

One common method for restricting a client's access to resources on a server is to set up a user database specific to the server. Using this database, an administrator can assign or deny permissions, perhaps on a directory-by-directory basis or by using some other method to divide permissions. One example of this is Microsoft SQL Server's use of its own database for users and their rights. For example, in most cases, the system administrator has administrative rights and can assign or deny rights to individual databases by using those rights.

Another common method for assigning rights for incoming clients within a server application is to leverage the user database of the network operating system. For example, when you set up Microsoft SQL Server security, you are presented with a dialog much like the one in Figure 4-1.

The Security section of the dialog allows the selection of two types of authentication. The first option uses both the SQL Server user database and the user accounts from Microsoft Windows NT for authentication. The second option only allows use of the Windows NT user database. These options are roughly comparable to the two options we have discussed.

click to view at full size.

Figure 4-1 Dialog to set up Microsoft SQL Server 7.0 security.

Once you know who is asking for a resource, how do you decide whether access should be permitted? While it might seem simpler to use a database provided by the applicationand in some cases this is the only way to provide the level of control requiredwith Windows 2000 there is another way.



Inside Server-Based Applications
Inside Server-Based Applications (DV-MPS General)
ISBN: 1572318171
EAN: 2147483647
Year: 1999
Pages: 91

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net