ASP/COM Security Architecture - how to?

Results 1 to 2 of 2

Thread: ASP/COM Security Architecture - how to?

  1. #1
    Join Date
    Dec 1969

    Default ASP/COM Security Architecture - how to?

    This is related to both ASP and COM.. any comments would be appreciated. thanks.<BR><BR>I am developing an application using ASP and COM. In the application each user has a database (Oracle) logon id. There is a table in the db that specifies what &#039roles&#039 each user has in the application (administrator, regular user, readonly, etc). <BR><BR>There are certain methods in the com objects that I would like to restrict to certain user roles. I could, of course, check in the ASP that the user would have a certain level of access in order to use that ASP functionality. However, in theory, one could make their own ASP page without this check and access the COM object methods directly (if they were able to place this new page in the webroot directory). <BR><BR>Access could be restricted at the db level, per table, pretty easily, but the grainularity of that approach is not very flexible, and implementing security at the per-row level would be extremely complex.<BR><BR>In my estimation, this leaves passing the userId to the com object and checking the user role. When the object is created, it could load the access restrictions for all methods within and store them in local variables, therefore there would only be one db lookup per created object for security checking. But is there a better way (less db accesses) that is still secure? The DB structure is fairly inflexible.<BR><BR>Thanks.

  2. #2
    Join Date
    Dec 1969

    Default RE: ASP/COM Security Architecture - how to?

    You&#039re right; what you want isn&#039t easy. There are two possible solutions:<BR><BR>1. Use Microsoft Transaction Server. It provides you with a rich set of tools that you can use to validate who can and who can&#039t use which methods from a component. MTS is actually the best choice.... even better is that it integrates with the security from Windows which means that you get access to its users and groups. Using this security isn&#039t very easy, but the help explains it in quite some detail.<BR><BR>2. Develop a proxy-like component that sits between the database and the webapp. Each row, column and table gets a set of restrictions and you check, for each data-request, if the restrictions do not block the user. This is VERY difficult, but quite flexible. So, this is propably not a good solution after all. <BR><BR>Go with MTS, definitly.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts