Microsoft Enterprise Library: Security Application Block

Develop Enterprise applications using reusable software components of Microsoft Enterprise Library 5.0 with this book and eBook

 

Microsoft Enterprise Library 5.0

Microsoft Enterprise Library 5.0

Develop Enterprise applications using reusable software components of Microsoft Enterprise Library 5.0

  • Develop Enterprise Applications using the Enterprise Library Application Blocks
  • Set up the initial infrastructure configuration of the Application Blocks using the configuration editor
  • A step-by-step tutorial to gradually configure each Application Block and implement its functions to develop the required Enterprise Application

 

        Read more about this book      

(For more resources on Microsoft Enterprise Library, see here.)

The first step is the process of validating an identity against a store (Active Directory, Database, and so on); this is commonly called as Authentication. The second step is the process of verifying whether the validated identity is allowed to perform certain actions; this is commonly known Authorization. These two security mechanisms take care of allowing only known identities to access the application and perform their respective actions. Although, with the advent of new tools and technologies, it is not difficult to safeguard the application, utilizing these authentication and authorization mechanisms and implementing security correctly across different types of applications, or across different layers and in a consistent manner is pretty challenging for developers. Also, while security is an important factor, it's of no use if the application's performance is dismal. So, a good design should also consider performance and cache the outcome of authentication and authorization for repeated use.

The Security Application Block provides a very simple and consistent way to implement authorization and credential caching functionality in our applications. Authorization doesn't belong to one particular layer; it is a best practice to authorize user action not only in the UI layer but also in the business logic layer. As Enterprise Library application blocks are layer-agnostic, we can leverage the same authorization rules and expect the same outcome across different layers bringing consistency. Authorization of user actions can be performed using an Authorization Provider; the block provides Authorization Rule Provider or AzMan Authorization Provider; it also provides the flexibility of implementing a custom authorization provider. Caching of security credentials is provided by the SecurityCacheProvider by leveraging the Caching Application Block and a custom caching provider can also be implemented using extension points. Both Authorization and Security cache providers are configured in the configuration file; this allows changing of provider any time without re-compilation.

The following are the key features of the Security block:

  • The Security Application Block provides a simple and consistent API to implement authorization.
  • It abstracts the application code from security providers through configuration.
  • It provides the Authorization Rule Provider to store rules in a configuration file and Windows Authorization Manager (AzMan) Authorization Provider to authorize against Active Directory, XML file, or database.
  • Flexibility to implement custom Authorization Providers.
  • It provides token generation and caching of authenticated IIdentity, IPrincipal and Profile objects.
  • It provides User identity cache management, which improves performance while repeatedly authenticating users using cached security credentials.
  • Flexibility to extend and implement custom Security Cache Providers.

Developing an application

We will explore each individual Security block feature and along the way we will understand the concepts behind the individual elements. This will help us to get up to speed with the basics. To get started, we will do the following:

  • Reference the Validation block assemblies
  • Add the required Namespaces
  • Set up the initial configuration

To complement the concepts and allow you to gain quick hands-on experience of different features of the Security Application Block, we have created a sample web application project with three additional projects, DataProvider, BusinessLayer, and BusinessEntities, to demonstrate the features. The application leverages SQL Membership, Role, and Profile provider for authentication, role management, and profiling needs. Before running the web application you will have to run the database generation script provided in the DBScript folder of the solution, and update the connection string in web.config appropriately. You might have to open the solution in "Administrator" mode based on your development environment. Also, create an application pool with an identity that has the required privileges to access the development SQL Server database, and map the application pool to the website. A screenshot of the sample application is shown as follows:

(Move the mouse over the image to enlarge.)

Referencing required/optional assemblies

For the purposes of this demonstration we will be referencing non-strong-named assemblies but based on individual requirements Microsoft strong-named assemblies, or a modified set of custom assemblies can be referenced as well. The list of Enterprise Library assemblies that are required to leverage the Security Application Block functionality is given next. A few assemblies are optional based on the Authorization Provider and cache storage mechanism used. Use the Microsoft strong-named, or the non-strong-named, or a modified set of custom assemblies based on your referencing needs.

The following table lists the required/optional assemblies:

Assembly Required/Optional
Microsoft.Practices.EnterpriseLibrary.Common.dll Required
Microsoft.Practices.ServiceLocation.dll Required
Microsoft.Practices.Unity.dll Required
Microsoft.Practices.Unity.Interception.dll Required
Microsoft.Practices.Unity.Configuration.dll Optional

Useful while utilizing Unity configuration classes in our code

Microsoft.Practices.EnterpriseLibrary.Security.dll Required
Microsoft.Practices.EnterpriseLibrary.Security.AzMan.dll Optional

Used for Windows Authorization Manager Provider

Microsoft.Practices.EnterpriseLibrary.Security.Cache.CachingStore.dll Optional

Used for caching the User identity

Microsoft.Practices.EnterpriseLibrary.Data.dll Optional

Used for caching in Database Cache Storage

Open Visual Studio 2008/2010 and create a new ASP.NET Web Application Project by selecting File | New | Project | ASP.NET Web Application; provide the appropriate name for the solution and the desired project location. Currently, the application will have a default web form and assembly references. In the Solution Explorer, right-click on the References section and click on Add Reference and go to the Browse tab. Next, navigate to the Enterprise Library 5.0 installation location; the default install location is %Program Files%\Microsoft Enterprise Library 5.0\Bin. Now select all the assemblies listed in the previous table, excluding the AzMan-related assembly (Microsoft.Practices.EnterpriseLibrary.Security.AzMan.dll).

The final assembly selection will look similar to the following screenshot:

Microsoft Enterprise Library

        Read more about this book      

(For more resources on Microsoft Enterprise Library, see here.)

Adding initial security settings

Before we can leverage the features of the Security Application Block, we have to add the initial Security Settings to the configuration. Open the Enterprise Library configuration editor either using the shortcut available in Start | All Programs | Microsoft patterns & practices | Enterprise Library 5.0 | Enterprise Library Configuration or just by right-clicking the configuration file in the Solution Explorer window of Visual Studio IDE and clicking on Edit Enterprise Library V5 Configuration. Initially, we will have a blank configuration file with default Application Settings and Database Settings.

The following screenshot shows the default configuration settings:

Microsoft Enterprise Library

Let us go ahead and add the Security Settings in the configuration file. Select the menu option Blocks, which lists many different settings to be added to the configuration, and click on the Add Security Settings menu item to add the security configuration settings.

The following screenshot shows the available options in the Blocks menu:

Microsoft Enterprise Library

Once we click on the Add Security Settings the configuration editor will display the default Security Settings as shown in the following screenshot.

Microsoft Enterprise Library

The Security Settings consist of Authorization Providers, Security Caches and Authorization Rules. Authorization Rules can be configured only while using Authorization Rule Provider. We will change the configuration further but for now, we are in good shape with regards to the initial infrastructure configuration.

Adding namespaces

We will be leveraging types from several different namespaces and so to make our life easy we can add the given namespace to the source code file to use the Security block elements without fully qualifying the references. Although we will be using EnterpriseLibraryContainer to instantiate objects (we will also add Microsoft.Practices.EnterpriseLibrary.Common.Configuration namespace to the source file), the Unity Namespace section is listed to make you aware of the availability of the alternative approach of instantiating objects.

  • Core Namespace:
    • Microsoft.Practices.EnterpriseLibrary.Security
  • Configuration Namespace (Optional): Required while using the EnterpriseLibraryContainer to instantiate objects.
    • Microsoft.Practices.EnterpriseLibrary.Common.Configuration
  • Unity Namespace (Optional): Required while instantiating objects using UnityContainer.
    • System.Configuration
    • Microsoft.Practices.Unity
    • Microsoft.Practices.Unity.Configuration

Creating security application block objects

We have several options at hand while creating objects, such as using a static factory class, using Unity service locator and using Unity container directly. A few approaches such as configuring the container through a configuration file or code are not listed here but the recommended approach is either to use the Unity Service Locator for applications with few dependencies or create objects using Unity container directly to leverage the benefits of this approach. Use of a static factory class is not recommended.

Using the static factory class

Static factory classes were the default approach for creating objects with versions prior to 5.0. This approach is no longer recommended but is still available for backward compatibility.

The following is the syntax to create deafult and named Authorization Provider instances using the static AuthorizationFactory class:

//Instantiating Using Static Factory - Default Authorization Provider
IAuthorizationProvider defaultAuthorizationProvider =
AuthorizationFactory.GetAuthorizationProvider();

//Instantiating Using Static Factory - Named Authorization Provider
IAuthorizationProvider namedAuthorizationProvider =
AuthorizationFactory.GetAuthorizationProvider("AuthzProvider");

The following is the syntax to create deafult and named Security Cache Provider instances using the static SecurityCacheFactory class:

//Instantiating Using Static Factory - Default Security Cache
Provider ISecurityCacheProvider defaultSecurityCacheProvider
= SecurityCacheFactory.GetSecurityCacheProvider();

//Instantiating Using Static Factory - Named Security Cache
Provider ISecurityCacheProvider namedSecurityCacheProvider
= SecurityCacheFactory.GetSecurityCacheProvider("SecurityCache");

Using Unity service locator

This approach is recommended for applications with few dependencies. The EnterpriseLibraryContainer class exposes a static property called Current of type IServiceLocator, which resolves and gets an instance of the specified type.

The following is the syntax to create default and named Authorization Provider instances using the EnterpriseLibraryContainer class:

//Instantiating Using Unity Service Locator - Default Authorization
Provider
IAuthorizationProvider defaultAuthorizationProvider =
EnterpriseLibraryContainer.Current.GetInstance<IAuthorizationProvid
er>();

//Instantiating Using Unity Service Locator - Named Authorization
Provider
IAuthorizationProvider namedAuthorizationProvider =
EnterpriseLibraryContainer.Current.GetInstance<IAuthorizationProvid
er>("AuthzProvider");

The following is the syntax to create default and named Security Cache Provider instances using the EnterpriseLibraryContainer class:

//Instantiating Using Unity Service Locator - Default Security Cache
Provider
ISecurityCacheProvider defaultSecurityCacheProvider =
EnterpriseLibraryContainer.Current.GetInstance<ISecurityCacheProvid
er>();

//Instantiating Using Unity Service Locator - Named Security Cache
Provider
ISecurityCacheProvider namedSecurityCacheProvider =
EnterpriseLibraryContainer.Current.GetInstance<ISecurityCacheProvid
er>("SecurityCache");

Using Unity container directly

Larger complex applications demand looser coupling; this approach leverages the dependency injection mechanism to create objects instead of explicitly creating instances of concrete implementations. Unity container stores the type registrations and mappings in the configuration file and instantiates the appropriate type whenever requested. This allows us to change the type in the configuration without re-compiling the code and essentially to change the behavior from outside.

The following is the syntax to create default and named Authorization Provider instances using the UnityContainer class:

var container = new UnityContainer();
container.AddNewExtension<EnterpriseLibraryCoreExtension>();

//Instantiating Using Unity Container Directly - Default Authorization
Provider
IAuthorizationProvider defaultAuthorizationProvider = container.Resolv
e<IAuthorizationProvider>();

//Instantiating Using Unity Container Directly - Named Authorization
Provider
IAuthorizationProvider namedAuthorizationProvider = container.Resolve<
IAuthorizationProvider>("AuthzProvider");

The following is the syntax to create default and named Security Cache Provider instances using the UnityContainer class:

var container = new UnityContainer();
container.AddNewExtension<EnterpriseLibraryCoreExtension>();

//Instantiating Using Unity Container Directly - Default Security
Cache Provider
ISecurityCacheProvider defaultSecurityCacheProvider = container.Resolv
e<ISecurityCacheProvider>();

//Instantiating Using Unity Container Directly - Named Security Cache
Provider
ISecurityCacheProvider namedSecurityCacheProvider = container.Resolve<
ISecurityCacheProvider>("SecurityCache");

Summary

In this article we discussed the key features of the Security Application Block.

In the next article, Microsoft Enterprise Library: Authorization and Security Cache, we will explore the elements of Authorization and Security Cache Providers.


Further resources on this subject:


Books to Consider

Getting Started with Microsoft Application Virtualization 4.6
$ 32.99
Enterprise Security: A Data-Centric Approach to Securing the Enterprise
$ 26.99
Implementing Microsoft Forefront Unified Access Gateway 2010 [Video]
$ 72.25
comments powered by Disqus