ASP.NET 2.0 Security Best Practices (and the declarative PrincipalPermission attribute)

Tuesday, November 15, 2005

This is a great MSDN whitepaper about ASP.NET 2.0 Security Best Practices. I’d definitely recommend setting aside some time to read it. At the bottom of the whitepaper there are then links to another 28 additional ASP.NET HowTo security whitepapers. Most of the articles were rated a perfect 9 out of 9 from people who have read them – always a good sign of great content.

One tip that the papers cover that I’ve been meaning to blog about is the ability to add declarative permission attributes to classes and methods. These allow you to limit the ability to instantiate a type or invoke a class member based on the identity of the browser user for the request, and provide a clean defense-in-depth mechanism that you can use to add additional security to your business logic, data logic, and even UI logic within your page.

For example, the below code will prevent the “Authors” class from being instantiated during a request unless the incoming user is authenticated:

[PrincipalPermission(SecurityAction.Demand, Authenticated=true)]
public class Authors
{
// Methods
}

And the below code will prevent the "Authors" class from being instantiated during a request unless the incoming user is in the “Admin” role:

[PrincipalPermission(SecurityAction.Demand, Role="Admin")]
public class Authors
{
// Methods
}

Note that enabling role-based security with ASP.NET 2.0 is now trivially easy with the new ASP.NET 2.0 role management service. Here is one of those how-to articles on how to use the new role-manager capabilities.

Hope this helps,

Scott

6 Comments

My only problem with this is that if the demand fails you throw an exception. The exception is thrown outside the body of the method so you better have some upstream error handling in place to deal with this.

This is one of the reasons I tend to use an imperative IsInRole() instead in many cases because I can fail a bit more cleanly.

Am I missing something?

Chris Kinsman - Tuesday, November 15, 2005 6:38:00 PM

Cripes, that's so good, it's almost silly. Good to know.

foobar - Wednesday, November 16, 2005 12:38:00 AM

Hi Chris,

I view this mainly for defense in depth -- so you can add additional protection to your business logic and ensure you don't accidentally expose functionality. So in this case you'd check at the url level with web.config, then chck using imperative IsInRole() checks in your page, and then add these declarative attributes on your business and data classes.

Hope this helps,

Scott

scottgu - Wednesday, November 16, 2005 12:44:00 AM

Hi Scott,

Could you please write a blog entry explaining exactly the changes introduced with V2 where you do not need to have the physical ASPX file in order to serve the request. In other words, I assume the V2 script mapping in IIS has the setting to *not* check if the physical file exists. Could you then explain how this relates to the fully precompiled option (non-updatable). Then could you outline how to write reusable control libraries (ie .ascx) similar to your blog entry in late August....and how the recent Web Deployment project plugin you have in Beta helps with all this.

I am really frustrated....after 5+ years of spending most of my time with ASP.NET and following everything since the PDC in 2003...and reading all your blog entries, last night I re-read your late august article, but i am having all kinds of problems.

I need a low level understanding of what ASP.NET is doing and what files it is looking at...Is the runtime looking for the .compiled files? Is the runtime looking for PreCompiledApp.config file, etc, etc....I keep deleting certain files and end up have asp.net not finding my page. I realise I have no understanding of how all these specially generated .compiled/PrecompiledApp.config files are used by the runtime....Undes what scenarios can they be deleted? Why do you auto-generate the dependencies in the .compiled files, if I produce a lib I do want the dependencies still there, etc, etc.....Very frustrated, sorry for incoherent email but I just wasted 2 hours just trying to confirm your august blog...and failed, and need to get back to real work.

PS Currently running all our stuff in production on runtime V2 (but still as apps compiled with VS 1.1)...very smooth so far.

David Taylor - Friday, November 18, 2005 11:24:00 AM

BTW Scott, I should have added that I was not exactly following your instructions back in August. I was trying to create a library with the "Non-updatable" option and hoped I could literally end up just with a DLL. I tried the web deployment project tool to merge everything into a single assembly. I just figured it would be great to use that utility and merge everything into a single assembly...and hoped you could even compile in any .aspx and .ascx content.

I am just playing trying to figure out what is possible, before I provide guidance to others....but my experience so far is this is was to hard.

David Taylor - Friday, November 18, 2005 11:31:00 AM

Hi David,

I'll add this to my list of things to blog (maybe this weekend -- although I can't promise <g>).

Thanks,

Scott

scottgu - Saturday, November 19, 2005 5:40:00 AM

Comments have been disabled for this content.