| Microsoft Enterprise Library 5.0 |
| Designing for Simplified Authorization |
|
|
Uniform implementations make code easier to understand, more predictable, and easier to maintain. However, developers can implement authorization in applications in many different ways. For example, they may have to use an approach that conforms to the security policies of their organizations. Alternatively, they may use approaches that suit the needs of particular departments or of the applications themselves.
The Security Application Block encapsulates the logic that performs authorization operations into a single interface that specifies only a small number of methods. These methods can be used by different authorization providers. This means that applications that use the Security Application Block are consistent in the ways that they authorize users to perform tasks. By using the Security Application Block, this consistency remains across single projects, multiple projects, or enterprise-scale solutions.
Design Implications
The following decisions about the design of the Security Application Block ensure that it simplifies the ways developers implement authorization in their applications:
- The Security Application Block defines an interface that can be used by different authorization providers. This interface exposes only a small number of methods that a developer needs to understand.
- The block includes implementations of commonly used authorization providers.
The next sections describe how these decisions were implemented in the Security Application Block.
Common Interface with a Limited Number of Methods
The Security Application Block defines a single interface that encapsulates the logic required to perform common authorization tasks. This interface is named IAuthorizationProvider. It has one method named Authorize. The following code shows the Authorize method signature.
| C# |
Copy Code
|
|---|---|
bool Authorize(IPrincipal principal, string context); | |
| Visual Basic |
Copy Code
|
|---|---|
Function Authorize(ByVal principal As IPrincipal, ByVal context As String) As Boolean | |
An IPrincipal object represents the security context of the user on whose behalf the code is running. This object includes the user's identity, which is defined by an implementation of the IIdentity interface and any roles to which the user belongs. The second parameter is a string that is specific to the authorization provider.
Include Common Providers
The Security Application Block includes two implementations of the authorization provider interface. The AuthorizationRuleProvider implementation validates expressions against rules that you create using the Rule Expression Editor within the configuration tools. The rules are strings that contain tokens and values. When you configure your application to use the AuthorizationRuleProvider the Authorize method accepts a rule name as the context parameter.
The block also includes the AzManAuthorizationProvider. This provider requires that Authorization Manager be installed on the computer. (For information about installing Authorization Manager, see Building Enterprise Library from the Source Code.) When you configure your application to use the AzManAuthorizationProvider the Authorize method accepts operations or tasks as the context parameter.
To report documentation errors or provide feedback on this documentation, please send email to [email protected].
Copyright © 2010 by Microsoft Corporation. All rights reserved.