I am currently developing a WPF client application which uses Linq-to-SQL for the typed table objects and to wrap around an abundance of CRUD stored procedures in a MS SQL database on an external server. I do not foresee manipulating data directly via the context, only the stored procedures.
My two biggest concerns are:
1) Database security
2) Flexible architecture
As far as I can tell, since the application will be readily available for download via the internet, storing database connection information in the application itself is not an option (for security reasons). I feel my only option is putting my DAL in a web service.
User credentials can be passed along on a per-operation basis and database connection information will be stored safely on a secure web server.
I am curious as to whether this is method is valid, and if so is it optimal? Can I easily serialize Linq-to-SQL objects (table and stored procedure results) to send back and forth between the client and the web service?
Thank you in advance.
You are right, if your application is used over the internet, you pretty much have to put a middle tiers in there.
If what you are doing is primarily CRUD, I think a good idea would be to take a look at ADO .Net Data Services. It's an efficient way to expose data through a REST interface, and you get a client library to access your data in a typed manner on the client side.
It supports the usual ASP.Net security mechanisms (such as Forms authentication, membership provider and so on) so that you can secure your access points based on the user's credentials (and for that you can use the Client Services that can take care of authenticating between your app and your server).
Hope those pointers help.
Related
I am migrating the my old ASP.NET Web Forms project to ASP.NET Core Web API and Frontend Angular. in my older application storing user information instace and it's values(like assigned groups,permissions,and other user information).i am going to use JWT i can't store all information in JWT,so should i continue session in my asp.net core application or retrieve this information from database in each request?
Is there any other Best practices are available in modern application development?
Multiple options for this, depending on what you need:
Angular cache. If the data is not sensitive, you can use the rxjs observables to cache some data on the application side. Nothing wrong with some data stored on the browser. Since you are coming from a full postback application, the SPA caching is most times equivalent to old Session object.
Depending on the implementation you might need some cache on the server side too. Since as mentioned you'll have multiple servers, I'd suggest only caching lookups and such, not user related data. If you implement stickyness with servers and sessions (not recommended), this is still an option.
Distributed cache. You might have heard of Redis and such? This is also an option to store cache data to a third service, accessible by all server instances.
It all comes down to complexity vs speed. If the queries are simple enough and lightning fast, then it might be useless to store them in any cache anyway.
I want to create a game within the Unity game engine in C# with .NET where I can securely connect out to a private server, and read and write data from/to the server. I understand how to do this in a non-secure way, where I would setup a private SQL database with a webpage interface between the two.
My problem comes here, I know if I want the web interface to be public, I need credentials to connect to the server, such as an Auth key, or username and password. However, in order to use those, then the auth-key would need to ship with the game as a file, or would need to be written directly into the codebase. I know that users can decompile games, and access these files and get the credentials if I include them, which means that option is off the table as far as I am aware.
It is my understanding that even with this layer between the database and the client, someone could still find the url for the interface between them, and then send custom function calls to this url as I will be doing in the game program. Wouldn't this lead to the same conclusion as having the database be open?
If anyone has answers to this, or resources where I can learn about this process, please let me know! I have never done server-side programming before and have also never thought about security before in my life.
You're correct in that you should not embed authentication keys into your apps. Where you're falling down is in exposing your database to the world. Don't do this. Instead, hide it behind a web server that serves only json data files. This way you can take advantage of the web server's authentication and session protocols.
Since you're already working with C#, I would suggest looking into ASP.NET Core MVC and specifically about WebAPI. But I would probably recommend node.js for lightweight microservices.
I was assigned with a mission to upgrade a legacy WCF and angular project written long time ago by a freelancer and add authentication and authorization to it.
I am quite new to the project and I was quite horrified when I saw the code.
Unfortunately, I can't share code, but I can tell you that:
Client-side is an SPA angularjs application.
Project is quite small.
There is no ORM - Only SQL (Stored procedure) queries.
The database is SQL Server.
The database Users, Roles etc.. schema was decided by the freelancer and was not built by any tool (like Microsoft Membership)
and without any regard to any conventional user table schemas. User table has a username, email, password, and a lot of other application data columns.
Most of the database table columns are encrypted/decrypted by the server before writing or read to/from the database. He wrote an encryption service.
Password was encrypted with a symmetric encryption (and only once).
Data being sent to the server is encrypted by the client and decrypted by the server and vis verse. The server always receives and return
strings (I guess he didn't trust HTTPS).
There are 2 encryptions - one between client and server and the other one between server and database.
The server always returns status 200, even when there is a failure. The return type must always be an object of type {success, resultObj} - this is what the client expected.
This system works on production with live users so changing schema will force schema change in production as well.
WCF server only serves site requests for now but might be needed to serve other application as well in the near future
Fortunately, the business logic is well organized in services and there is no code in the WCF controllers except calling services functions.
There is a separate project for the WCF service and another one for the angularjs application
There is no authorization or authentication at all!!! Login doesn't do anything (no cookie, no session, no token- no nothing).
Requirements:
I need to implement a bear minimum of authentication and authorization.
I need to update the server technology as much as we can to help us build new features on top of it in the near future.
Time is at the essence
I know it a lot to process and I am willing to share all data necessary (except code).
I read a lot about Asp.Net Identity and Identity Server and Web API Security and MVC Security but I really don't know which way to go.
Questions:
I am thinking of killing the WCF Service project and opening a new project where I will move all my business logic too.
I'm not sure If I need to create an MVC or Web API application. My client is angularjs spa application. If I don't need razor views should I use Web API?
Can I implement Identity Server on a database with a custom-made schema without entity framework? Is it recommended?
I understood that Identity Server is not used to authenticate and authorize the request, if so, what should I use on top of it?
If you have any thoughts, specific articles or any guiding questions, I will really really appreciate some help.
I need to do a WCF service to wrap up the database access. I do not want the service to be bind to any specific database. In fact, it will only receives a query and returns a dataset. no treatement on the data will be done in the service so I want pure performance but it need to be secure too.
Actually, I think using perCall session, net.tcp binding and certificate autentification on both side. (it's a WAN app)
Still, can someone give some advices on the configuration that I should use?(Type of Session,Type of binding,Type of security,etc..)
It sounds like you could take advantage of WCF Data Services.
WCF Data Services (formerly known as
"ADO.NET Data Services") is a
component of the .NET Framework that
enables you to create services that
use the Open Data Protocol (OData) to
expose and consume data over the Web
or intranet by using the semantics of
representational state transfer
(REST). OData exposes data as
resources that are addressable by
URIs. Data is accessed and changed by
using standard HTTP verbs of GET, PUT,
POST, and DELETE. OData uses the
entity-relationship conventions of the
Entity Data Model to expose resources
as sets of entities that are related
by associations.
I need to be able to tighten my business layer - access to particular data.
The UI can make a call to the business layer and receive a userdetail. The UI can then call .Save() on a user and the business layer will call the data access layer to save the user.
Although, the problem here is that I don't just want any user to be able to receive a userdetail and call save - only authenticated users with that role of "admin". How would I go about this authentication/authorisation in my business layer/UI so I can achieve this?
I am using ASP.NET for my UI, and I've read into membership/role providers, but this just seems to be for the actual UI. I need to secure it at my business layer because in the future there could be a couple of different UI's. e.g. windows forms and Asp.net.
Thoughts and suggestions are appreciated.
Thanks.
Another approach you might want to research (if developing in .NET 3.5 / 4.0) is using Windows Identity Foundation.
If you are insterested in keeping your authorization logic outside your web site (which I assume you would if you are expecting to use your business layer from more than 1 front-end) I would definitely recommend yaking a look at WIF. You can also integrate with Active Directory using ADFS v2.0 (which is a server role in Windows Server 2008 R2).
Patterns & Practices has released a guide which can be quite useful for digging into the subject.
The ASP.NET Role / Membership providers include storage and code level components you can re-use - they aren't just the UI.
For fine-grained access control (for example to specific functionality on a page) you can use the Enterprise Libraries. You'll be able to re-use code to protect functionality both at the BL layer and in the UI layer.
The link you most want is this one: Determining Whether a User Is Authorized to Perform a Task
Also see:
What Does the Security Application Block Do?
DotNetJohn - Enterprise Library Security Block...
Rule Based Security using Microsoft Enterprise Library and CAS
During earlier releases of the EntLibs, the Authorization Manager was a key component, but in more recent versions it's not a firm requirement, instead you can use an AuthorizationRuleProvider.
see: Developing Applications Using Windows Authorization Manager.
Filtering data is a bit more problematic depending on the complexity of your data, the amount of it and performance needs.
One strategy is to have a simple DAL that returns everything, and prune out data the current user isn't allowed to see in the BL.
Design a DAL that has some knowlegde of the roles your application uses:
DAL.GetCustomersForAdmin() and DAL.GetCustomersForMember() But this is a bit dangerous as you'll be tied to using those roles.
Have a database / DAL that is security aware, and always returns only the data the user is permitted to see, via the same methods: DAL.GetCustomers()