Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
 Posted - 2005-11-09 : 09:42:41
|
| I look after a legacy app that is shall we say less than perfect. In order to access the database, the app was setup to use Windows Authentication BUT it also has it's own authentication mechanism. So Windows authentication is used to access the data but from within the app it is also controlled by the application authentication.I'm trying to develop an ASP.NET UI for parts of this application. Should I use Forms authentication (which will allow me to make use of the existing application authentication mechanism and will in the future possibly allow me to put the app onto the web) or do I stick with Windows Authentication which is a little more secure? Perhaps more importantly, if I use forms authentication how do I authenticate to the SQL Server? Do I just have a single login specifically to extract all the data that will be required for my app (which sounds like a security risk), should I rewrite all the sprocs to take authentication data? If I am using Windows authentication does that pass onto the SQL server?thankssteve-----------Facts are meaningless. You could use facts to prove anything that's even remotely true! |
|
|
jhermiz
3564 Posts |
Posted - 2005-11-11 : 08:31:33
|
Hi Steve,For the .net framework the most popular type of authentication is Forms Authentication. The reason being is with forms authentication you can handle the security from within your application.Let me give you a run down of what I do and maybe it will help you in your situation.I use forms authentication for my asp.net apps. I use sql server authentication (not win authentication) for my back end only because I manage my security using my own DBSecurity class. That way I create a general SQL User and place this user in my asp.net connection string, which is located in my web.config file. Not only do I have a specific user for my app from sql, but I also have a specific user who has various rights for my reports (reporting services). This way I avoid using the sa account, I handle my own read / write / execute permissions from my database class (this can be your own User Defined class such as a compiled dll (another tier)). My RS user is a sql user on my sql box that has access to only those "rsp" procedures for each of my reports. That way I can use this user as the credentials for my connection string inside of RS. As for my application, like I said I have an admin created account in sql for that specific database and I set access levels to that user.In my application I can handle who can run / read / write inside of the application. Does this help ?Thanks,Jon
Keeping the web experience alive -- [url]http://www.web-impulse.com[/url]Imperfection living for perfection -- [url]http://jhermiz.blogspot.com/[/url] |
 |
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2005-11-11 : 12:23:10
|
| Thanks Jon, yes it does help. My users have different levels of access according to their roles. So, If I have understood correctly, your method doesn't apply to that situation. I'm beginning to think that passing authentication information to the sprocs is the only route I can take unless you have any other suggestions.Many thankssteve-----------Facts are meaningless. You could use facts to prove anything that's even remotely true! |
|
|
|
jhermiz
3564 Posts |
Posted - 2005-11-11 : 13:13:34
|
This is something you need to think about. Like I said you could write a compiled dll tier that handles security. That means you will need to control security and create SET And GET functions to set a users role and or retreive a user's role before performing an event.Personnally (ducks down), I dont care for Windows Authentication when it comes to applications. Only because I don't want to introduce hundreds of users from my DOMAIN controller. I like to create a central user and then handle roles / security in my application by writing my own Security Class.But it is your ultimate decision as to what you want to do now.Jon
Keeping the web experience alive -- [url]http://www.web-impulse.com[/url]Imperfection living for perfection -- [url]http://jhermiz.blogspot.com/[/url] |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2005-11-14 : 03:21:40
|
| Cheers Jon, many thanks for that.steve-----------Facts are meaningless. You could use facts to prove anything that's even remotely true! |
|
|
|
|
|
|
|
|
Authentic confusion