Security Application Block

Security Application Block

Enterprise Library for .NET Framework 1.1

patterns & practices Developer Center

Microsoft Corporation

June 2005

This page provides an overview of the Enterprise Library Security Application Block. This is reusable and extensible source code-based guidance that simplifies development of common security functionality in .NET-based applications.

* Important Note: The January 2005 release of Enterprise Library is no longer available to download, due to important issues discovered after the release. Customers building new applications should move to the June 2005 release. Customers who have already adopted the January release must apply the patches available on Enterprise Library Community site. Please direct any questions to the community site or to devfdbck@microsoft.com

Introduction to the Security Application Block
Design of the Security Application Block
Test Drive
Feedback and Support
June 2005 Release Updates
Roadmap
Authors and Contributors
Related Titles

The Microsoft Enterprise Library Security Application Block helps developers implement common security-related functionality in their applications. Applications can use the application block in a variety of situations, such as authenticating and authorizing users against a database, retrieving role and profile information, and caching user profile information. The Security Application Block has the following features:

• It reduces the requirement to write boilerplate code to perform standard tasks.
• It helps maintain consistent security practices, both within an application and across the enterprise.
• It eases the learning curve for developers by using a consistent architectural model across the various areas of functionality provided.
• It provides implementations that you can use to solve common application security problems.
• It is extensible; it supports custom implementations of security providers.

Developers frequently write applications that require security functionality. These applications typically have to perform a diverse series of security operations, and they will frequently interact with differing underlying security providers, such as the Microsoft Active Directory directory service, Authorization Manager, Active Directory Application Mode (ADAM) and custom databases.

The Security Application Block simplifies the work of developers by collecting together many of the most common security tasks that a developer has to perform. Each task is handled in a consistent manner, abstracting the application code from the specific security providers and using best practices. You can even change underlying providers through configuration changes, without changing the underlying application code.

The Security Application Block provides code that will help you with the following scenarios:

• Authentication
• Authorization
• Role management
• Profile management
• Caching principals

This application block is intended for software architects and software developers. To benefit fully from this guidance, you should have an understanding of the following technologies:

• Microsoft Visual C# development tool or Microsoft Visual Basic development system
• NET Framework (including .NET security concepts)
• Basic knowledge of topics such as Microsoft Windows authentication and authorization

The Security Application Block is an enhancement of an earlier application block, named the Authorization and Profile Application Block. This release of the Security Application Block includes a number of features not contained in the Authorization and Profile Application Block. These features include the following:

• Authentication support
• Authorization without the requirement for Authorization Manager
• Caching of security related credentials
• Additional providers

Users of the Authorization and Profile Application Block should recognize many of the scenarios addressed by the Enterprise Library Security Application Block. The current version builds on the knowledge and feedback gained from earlier releases, and it represents a significant change in how those scenarios are addressed.

Some of the key differences between the Enterprise Library version of the Security Application Block and the Security and Profile Application Block include the following:

• The Enterprise Library Security Application Block includes functionality to assist with authentication. The Authorization and Profile Application Block did not include any functionality to implement authentication.
• Instead of calling provider managers, developers now call methods on factory classes. These classes are consistent across the different areas of functionality of the application block.
• Instead of using an Extended Principal with additional methods, the methods are supplied with the providers. This allows you to use them with custom IPrincipal implementations.

The requirements for the Security Application Block are the following:

• Microsoft Windows 2000, Windows XP Professional, or Windows Server 2003 operating system
• Microsoft .NET Framework version 1.1
• Microsoft Visual Studio .NET 2003
• Stores to maintain data used for authentication, authorization, profile, and role information (exact requirements depend on how you use the application block)
• A store to cache security information (required only if you use the caching functionality of the application block)
• One or more authorization stores to maintain authorization data (if you are going to use the application block for authorization)

Note   If you use the Authorization Manager provider, it requires Microsoft Windows 2000 Server with Service Pack 4 or Microsoft Windows Server 2003.

The Enterprise Library Application Blocks are designed to be used in conjunction with each other. Sometimes, the application blocks have dependencies on other application blocks and code that is included with the Enterprise Library. The Security Application Block has the following dependencies:

• The Configuration Application Block. The Security Application Block uses it to read its configuration information.
• Common library functionality, such as instrumentation. This provides various functions for exposing events and data used for system management.

Depending on the specific functionality you require from the Security Application Block, you may also require one or both of the following application blocks contained in the Enterprise Library:

• The Data Access Application Block. The database providers of the Security Application Block use the Data Access Application Block to access security information contained in a database.
• The Caching Application Block. The Security Application Block uses the Caching Application Block to cache security information and then retrieve it when required.

By default, the application block uses XML files to store configuration information. You can modify this configuration information to change the behavior of the application block. The recommended way to modify this information is to use the Enterprise Library Configuration Console.

The actual security information (authorization data, authentication stores and profile information) is managed by the providers of the respective areas of the application block.

The Security Application Block is designed to achieve the following goals:

• To provide a simple and intuitive interface to the commonly required functionality
• To encapsulate the logic used to perform the most common application security tasks
• To present a standard provider model for common security tasks
• Ensure that the application block is extensible
• Ensure minimal or negligible performance impact compared to manually written security code that accomplishes the same functionality
• To incorporate best practices for application security

Figure 1 illustrates the design of the Security Application Block.

Figure 1. Design of Security Application Block

The Security Application Block incorporates implementations of commonly needed application security functionality into its design. These tasks include authorization, authentication, profile management, and role management.

The Security Application Block has been developed as a result of analyzing common enterprise development challenges and successful solutions to these challenges. However, because each application is unique, you will not find this application block suitable for every application. To evaluate this application block and determine its applicability to your projects, Microsoft suggests you dedicate at least half of a day to explore the application block. The following is a suggested evaluation approach:

1. Download Enterprise Library.
2. Install Enterprise Library and compile all application blocks and tools.
3. Read the "Introduction" section of the documentation.
4. Compile and run the QuickStart samples, and read through the related "QuickStart Walkthroughs" and "Key Scenarios" sections of the documentation.
5. If the application block looks like a good fit for your application, try implementing a simple use case in your application or in a throw-away prototype application using the application block.

Questions? Comments? Suggestions? To provide feedback about this application block, or to get help with any problems, please visit the Enterprise Library Community site. The community site is the preferred feedback and support channel because it allows you to share your ideas, questions, and solutions with the entire community. Alternatively, you can send e-mail directly to the Microsoft patterns & practices team at devfdbck@microsoft.com, although we are unable to respond to every message.

Enterprise Library is a guidance offering, designed to be reused, customized, and extended. It is not a Microsoft product. Code-based guidance is shipped "as is" and without warranties. Customers can obtain support through Microsoft Support Services for a fee, but the code is considered user-written by Microsoft support staff. For more information on our support policy, see the Enterprise Library home page.

The June 2005 release of Enterprise Library is a minor update of the original version released in January 2005. Please see About the June 2005 Release for more information on the updates to the application blocks for the June 2005 release.

An updated release of the Security Application Block is planned for the next release of Enterprise Library. This release will target the .NET Framework 2.0 and Visual Studio 2005 and will include additional improvements based on customer feedback.

The Enterprise Library Security Application Block was produced by the following people:

• Program Managers: William Loeffler (Microsoft Corporation), Linh Nguyen (Avanade Inc)
• Product Manager: Tom Hollander (Microsoft Corporation)
• Architects: Edward Jezierski (Microsoft Corporation), Kyle Huntley (Avanade Inc)
• Development: Scott Densmore, Peter Provost (Microsoft Corporation), Brian Button (Murphy and Associates), Hisham Baz (Avanade Inc), Paul Currit (Avanade Inc), Rick Zimmerman (Avanade Inc)
• Test: Mohammad Al-Sabt, Carlos Farre (Microsoft Corporation), Mani Krishnaswami, Gokulaprakash Thilagar, Rohit Sharma, Prashant Bansode, Jeevarani Radhakrishnan, Dhananjaya Rao (Infosys Technologies Ltd), Pavan Kumar Sura (Volt)
• Documentation and Samples: RoAnn Corbisier (Microsoft Corporation), Tim Osborn (Ascentium Corporation), Roberta Leibovitz (Modeled Computation LLC), Paul Slater (Wadeware LLC), Tina Burden McGrayne (Linda Werner & Associates Inc)

Many thanks to the following advisors who provided invaluable assistance:

• Rudy Araujo, Yen-Ming Chen, Mark Curphey and David Raphael of Foundstone Inc.
• Benoit Morneau and Shoichi Takasaki of Bowne Global Solutions

• Exception Management Architecture Guide
• Improving Web Application Security: Threats and Countermeasures
• Enterprise Library

Start | Previous