More on Application Security and Directories

Craig has written a follow up Application Security articles to the ones I referenced in my prior post, he quickly jumped to 14! Read them here: 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14. Some of my notes from the new articles are...

Active Directory Application Mode (ADAM) is an LDAP compliant standalone directory service. So you can install it on Windows machines for purposes other than Windows Domains. It's a free download from Microsoft here. The big advantage of using ADAM is that it is a directory to store your application data independent of the enterprise global directory tightly controlled by your enterprise system administrators. Who are unlikely to permit you're application to add new attributes and classes to it (and probably rightfully so). Instead use ADAM to store your application's data in a directory and use Microsoft identity integration server 2003, (a "meta-directory"), to synchronize the directories.

A mention of the Windows Server 2003 Authorization Manager was insightful for me as well. Basically this is a rules based way to authorize operations, instead of an "object" (where object might be a file or other physical data store). An article on developing for Windows Server 2003 Authorization Manager can be found here. I think this might be something we should consider for ActiveReports in the future. Since reports are not always suitable for object-centric authorization, authorizing a client to view or modify a dynamic report via the Authorization Manager's "BizRules" might make allot sense. Right now the whole Authorization Manager is not .NET'ified at all. It's unmanaged, and the BizRules are written from VBScript and JScript. I think anything to do with security should be immediately moved to managed code, the benefits are obvious.

In Part 10, Craig begins to give us a hint of how an application might use AM from .NET's System.Security.Principal.IPrincipal interface. In Part 13, he uses System.DirectoryServices (which he refers to as "the ghetto of the .NET Framework") to work with ADAM. See my prior post mentioning the .NET C# LDAP Library. You'll find it much friendlier than "the ghetto of the .NET Framework".

posted @ Thursday, March 04, 2004 11:47 PM


Comments on this entry:

# home loan mortgage

Left by home loan mortgage at 9/30/2006 9:10 PM

pausing husked recomputing coarsely rancid really,expunges fan:retain <A HREF="">interest rate</A>

Comments have been closed on this topic.