Project: Access Control for ASP.NET Application

  • If you do consider to apply this project to your real-world software project, please let me know. If you need more information, please let me know as well.

Version: 0.2
=========================================================
In version 0.1, the data of users, roles, and permissions are loaded to memory while HttpModule is first time activated.
HttpModule will keep those data of users, roles and permissions in memory as long as it can. By default configuration of IIS,
those data of users, roles and permissions will be kept in memory as static objects for 20 minutes.
So, what if those data of users, roles and permission are changed in the 20 minutes ? It implies that the static objects
are required to be update to ensure the latest access control information. Therefore, the main goal in this verion - 0.2 -
is to update static objects in memory while the data of users, roles and permissions are updated in the database.
This goal will be achieved in query and response model. By the overal consideration, the query notification in MS SQL
Server 2005 or later version will be used for the goal of this verion.

Jan 18 2009: this version is released to public.

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Version: 0.1
=========================================================
This is a very basic verion right now.
This project is for access control , actually it's role-based access control, in your ASP.NET web application by using HttpModule technology.

Before we go further
=====================
1. You need to know the basics of ASP.NET
2. You are required to know the fundamental idea of HttpModule in ASP.NET
3. You need to know the basics of Role-Based Access Control

Why I create this open source project
=====================================
In most real world software projects, authentication and authorization are always works that are required to be designed, planned, and implmented.
In past experiences, software may do this kind of work by defining a page-level function, which means authentication and authorization will be implemented as a function and deployed in all .ASPX page. This is essential and straight-forward. However, what happens if we can deploy authentication and authorization as an infrasturcture of our web applications ? Think about a way that our programmers don't care about the infrastructure works like authentication and authorization. Programmers just need to pay full attention in programming logics of the software project. So when a component with a functionality of authentication and authorization can integrate into the web application and does not influence any changes in existing programming code, it definitely is a wonderful situation for all project members.
So, I create a component to do authentication and authorization by HttpModule. By using it, programmers are not required to change their code to meet access control requirement.
There are many different access control mechanisms in the world. I choose RBAC (Role-Base Access Control) as the access control idea for this open source project. RBAC is popular in the industry so it should be understood by most people. However, in this 0.1 version, I don't cover Hierarchy concept now. This is a future goal.

How it works
============
The required methods of HttpModule are defined in FirstClass.cs -- Init and Dispose. According to event series in HttpModule, I create several events and use two events to do authentication and authorization.
The main idea is that all of the data of users, roles, and permissions are loaded from your resposity (in this version, only database). So you will have three staic objects - FirstClassUsers, FirstClassRoles, _FirstClassPermissions - in your w3wp.exe process. When a connection connect to the web site, and a user provides his/her username and password, all of the operations of authentication and authorization will be communicated with those three staic
objects. So at this time, if your database goes offline, it doesn't affect anything until w3wp.exe is required to refresh.
Therefore, the speed of authentication and authorization will be so fast. By now, you may come up some questions in your minds. What if the data in database is changed ? Yes, you got it. In this cases, those three static objects are required to re-load data again from respository. However, it's not done in this version. I'm planning it in next verion.

Future
======
When you browse code, you will find some places I marked as "future", which means I have some plan for these. Now, I can provide a rough roadmap of this open source project.
Version 0.2: When user, role, and permission data in respository are changed, the associated static objects in w3wp.exe will be updated as well.
Version 0.3: Let User and Role have "Hierarchy". Close to more standard RBAC.
Version 0.4: Provide more information for page-level application. /* to be clear later */

More documents or introduction
==============================
All of them are on paper and in my mind. I'll work hard to make slides to introduce more and make documents to explain the programming code. When I finish them, you may find them here.


Last edited Jun 23, 2010 at 5:25 AM by byclee, version 15