Quite long ago, Microsoft came up with the concept of Membership Provider design pattern. I have used it (just like thousands of other applications) over and over to provide application security. It works great.
I was waiting for Microsoft to improve upon what they had done years ago. But, to my surprise their recent concepts around application security design have fallen short of expectations (no offence meant).
I have decent experience in designing/choosing application security related approaches. I have decided to share my design approach with the community. All the source code and database design in provided. It is available at http://applicationsecurity.codeplex.com/.
Over last many years, I have benefitted from the information people have shared on internet. This is an effort to give little back. All the advertisement money from this project will go to Habitat for Humanity Int’l.
In most scenarios, application security can be accomplished using ‘role based’ approach. Microsoft’s membership provider model (I am not going describe this here. There is plenty of material online about membership provider) was good in this respect. Many applications are successfully built using this provider. Recent releases of Microsoft’s .NET releases have taken slightly different approach w.r.t what this built in provider offers (see the links below). From my experience with building many applications, I feel that what is offered in .NET 40/4.5 is not enough.
This project is created to abstract the security requirements for all kinds of applications. In addition to roles, claims are also introduced (without the complexity surrounding it). Effort is made to support multi-tenancy also.
USEFUL LINKS AND BACKGROUND
SimpleMembership, Membership Providers, Universal Providers and the new ASP.NET 4.5 Web Forms and ASP.NET MVC 4 templates
Think twice about using MembershipProvider (and SimpleMembership)
This is the early draft of our data model. As you can see, I am using Microsoft’s Entity Framework. Important thing to notice is the fact that, our new design bridges the best of both worlds. Membership provider pattern is a very useful pattern that has worked for many years for many applications. Instead of using all the tables that come with ASPNETDB, I have created a table called CustomMembership. This will be used to provide the same provider interface that is being used by many web applications. Things take better turn with the availability of a more powerful variation of IPrincipal concrete implementation. Now, you will have access to features such as enterprise, claims etc.
Solution is built using the following technology and tools:
1. Microsoft .NET 4.0/4.5
2. Microsoft Entity Framework 5.0
3. Microsoft Visual Studio 2012
4. Microsoft ASP.NET MVC 4.0 for management application UI
5. Microsoft ASP.NET MVC 4.0 WebAPI to support REST interface
6. SQL Server 2012 (Express and above)
7. SQL Server Database tools (SSDT) to manage the database objects in VS 2012/TFS 2012
8. Kendo UI Controls (This is not an advertisement for Telerik. I chose it because, I can quickly build what I need. Personally I am a big fan of Telerik controls. The main focus of this project is a good application security design, not this UI).