I've been trying to find resources and guidelines for implementing authentication and authorization in multiple layered architectures (C#), but haven't found any "best practices" or patterns to use. And I figured, that there must be some patterns for this, as it is a pretty important area?
The application that we're developing, is layered traditionally, having
data layer (Entity Framework 4)
repositories
domain layer
service layer (can be WCF, with data transfer objects)
multiple clients consuming the WCF service (ASP.NET [MVC], Silverlight, WPF) and clients accessing a service layer directly (no WCF)
Are there books/articles/blogs that dig deeply into this area? Primarily about authorization such as handling multiple roles and attributes attached to users).
It doesn’t have to be specific for the .NET Framework, but it would be preferred.
UPDATE:
I got some good links already, but I'm looking for more implementation examples and articles. Maybe a solution where something like the above is implemented?
This resources can be helpful
http://msdn.microsoft.com/en-us/security/aa570351.aspx from Microsoft, mostly about Windows Identity Foundation
A Guide to Claims–based Identity and Access Control from Microsoft Patterns&Practices team
Best Regards
Yes there is, you can check patterns & practices Application Architecture Guide 2.0
It will give you design-level guidance for the architecture and design of applications.
And also a good thing it is specific for .NET :)
Some links to check.
Common Security Scenarios
patterns & practices: WCF Security Guidance
patterns & practices Improving Web Services Security Guide
Security Considerations (Entity Framework)
Related
I'm really really new to programming with an architecture, so I hope someone here can help me.
I have a solution on C# .Net with the next architecture:
Data: Contains the UoW, Repositories, Entity Framework mapping and context.
Design: It'll contain the WPF and Web projects.
Domain: Contains entities that all the other projects will be using.
Service: HERE IS MY PROBLEM!! I have no idea what to do here.
I need to implement a web service that will be consumed by WPF and WEB projects but I don´t know if it really goes here and how it needs to be (Web API or WCF).
A Service in this case is a layer in your application that supports the higher layers with methods to communicate with the underlying layers (Data). You should read up on design patterns in general and in particular Service Pattern and Repository Pattern. You should educate yourself on the differences between WCF and WebAPI where the first is XML based and the latter is a RESTful API that I would recommend from modernity perspective if you can choose what to implement.
Web API.
WCF
I've been asked to investigate WCF security and authentication in order to build a set of web services that fit into our business application.
Currently our application is written with ASP.NET with a lot of back-end code written in C#, and some WCF services which rely on forms authentication. Unfortunately, as time has progressed, the code base has become very ad-hoc, therefore there is no real logical separation/layering.
In the grand scheme of things, we want a structured application with a data access layer, business logic layer, data transport layer (WCF) and various presentation layers (of which the ASP.NET website will be one).
I've been told that in future, we may also support presentation layers written using Windows Forms, WPF, Console Applications and even some written in Java (for Linux and Mac users).
I'm relatively new to WCF. I understand the basic principles of it, but when it comes to authentication/security, I'm definitely no expert!
I know there are lots of different strategies for authentication/security in WCF; I'm looking for the most suitable given the range of presentation platforms. So, given the scenario of using ASP.NET, Windows Forms, WPF, Java as the various presentation layers, what is the best strategy for authentication and security in WCF services?
The best strategy for you is going to depend on your security requirements. In other words, there is not a best strategy that applies to all solutions.
I would suggest taking a look at the WCF Security Guide. It will get you up to speed on the basics of security in WCF. It also has sections for common Intranet and Internet scenarios with prescriptive guidance for each. Based on the little bit of information you've provided here, I think you will find one of these scenarios aligns to your needs. The guide is old, but still very relevant.
Later, you may want to look at the benefits of moving to a claims-based security model. This is a huge topic so I'll just point you to this guide for future reference.
While reading SOA articles I came across an article in http://www.ibm.com/developerworks/websphere/library/techarticles/0806_boughannam/0806_boughannam.html . This explains about a Semantic/Logical service. There is an example of "request for organization data coming from sales department". This approach helps in overcoming the silos concept.
I was wondering whether there is any WCF implementation similar to the architecture mentioned in the article. Though I made some search, I could not find out one.
Could you please provide details of such an implementation or provide a reference to a similar implementation in WCF?
READING:
Enabling Business Capabilities with SOA
http://msdn.microsoft.com/en-us/architecture/aa699435
Service Virtualization With The Managed Services Engine
http://msdn.microsoft.com/en-us/magazine/dd727511.aspx
Managed Services Engine (MSE) Roadmap
Building a platform for Service Oriented Architecture usually involves several technologies to fulfill the different requirements involved. WCF could be a part of that solution to provide different transport and message format options for services involved, but would not suffice as the only basis to build the platform on.
The architecture in the article is a fairly standard service oriented one for larger corporations and can be implemented in a variety of technologies. I would suggest you that you search that space and read about the various tools to see what fits your needs. The Microsoft space for example include Biztalk, AppFabric, WCF, NServiceBus, SOA Governance, Master Data Services and SSIS. As SOA environments can be technology-agnostics, you could also browse other vendors or Open Source initiatives.
Okay people, here's another one for ya'll:
I'm starting in the n-tier apps world. I've done some reading on the topic and general advice is that n-tier apps' objective is to abstract functionality tween layers. So, based on this, in a n-tiered app the regular model is:
Data Access -> Business Layer -> Presentation
Since I'm a .NET developer, I thought that to enhance integration with multiple client types (Silverlight, Web app or even a WinForms client) I should use WCF (Windows Communication Foundation) as data services at the business layer so clients can communicate to it regardless of its type. Also, I'm a huge fan of NHibernate as a ORM. So my structure goes like this:
Data Access (NHibernate) -> Business Layer (WCF) -> Presentation (WPF, ASP.NET, WinForms
Okay, so that is the setup. I'm a total newbie in this kind of approach, so I thought I could post here requesting for advice on this setup. Also, I'm very confused on how to setup this in a VS solution, I like to separate layers in different projects, but what about abstraction of data objects (like Customer, Order, etc.)? Do I put em in a separate library? And what about WCF? I know is a programmer's sin to transfer the data classes over the wire to the client. What's the professional's way to achieve this?
Thanks, any advice would be very appreciated.
That's pretty much on target. N-Tier is a bit more complex than N-Layer however, and can be contrasted by asking, "Are your layers actually living on separate physical servers?"
Depending on how complex your Business layer is, you might want to abstract it further between a Business and Service layer. Typically those two are tied very closely and live on the same physical server. The service layer often acts as a Facade to your BLL.
If you're Presentation layer is on the same server, than your ASP.NET or WinForms apps might want to communicate with the BLL without going through WCF services.
Read up on Microsoft Patterns & Practices - Application Architecture Guide.
Your Domain objects should live in their own assembly typically your domain model. According to Microsoft Framework Design Guidelines, it's good practice to name your project assemblies accordingly:
[Company].[ProductOrComponent].[...]
I happen to like this format of name-spacing and generally use:
[Company].[Product].[Layer].[SubLayer].[...]
Here is an example solution using solution folders to organize each project:
In this example, I have a BLL and Service layer. The Service layer provides the actual implementation in a WCF Library while the Presentation actually contains the WCF Web application to host the services. It's always good practice to split up implementation from interface.
The /Client folder can be ignored, I just use that as a sample console app for testing. Any Client applications that consume your service should probably have their own solution or you're going to be managing a huge solution.
As for your data object being transferred over the wire... I'm assuming you mean the classes from your ORM. (Domain Model) You're correct its generally considered bad practice. The solution is using Data-Transfer Objects. You can see from the picture I have a .Dto library. If you're able to use tools like AutoMapper, than I'm all for it, however, adding DTO's to your solution brings with it further complexity and maintenance. I believe Dino Esposito wrote a good article on the subject. Will try to find it for you.
Hope this helps.
[EDIT]
I should note, I'm unfamiliar with nHibernate's capabilities. There might be better solutions for using that ORM. I've only worked with Entity Framework.
[EDIT 2]
Check out Dino Esposito's - The Pros and Cons of Data Transfer Objects
My company is interested in porting a large business application to .NET. We plan on developing a desktop version and a silverlight version. I mostly researched the CSLA framework (got rocky's book, halfway through already) and found it a bit over-engineered, the data layer side didn't seem so polished either.
Is there any other frameworks that claim to do what CSLA is doing? I'm not talking about ORM tools (e.g L2S, EF, NHibernate.) I'm interested in a framework that supports business rules, easy n-tier architecture, objects are domain driven and not database driven, security on the business objects etc...
I know I can find small frameworks that will do some of the work required (Enterprise Application Block comes to mind) but I'm looking for one that has everything included.
I would be interested in hearing more about why you think CSLA is over-engineered. I have found it to be very feature rich but most of the features just implement standard .NET framework interfaces and so all the plumbing comes free and you definately have to use it.
Your requirements seem to be a great fit for CSLA. Other frameworks (such as ORMs) contain validation/business rules but the major issue is that you are (in most cases) stuck with your data schema. This leads to objects that are not friendly for UI development and force you to know the intricacies of your database.
Here's a good blog post (archived version) courtesy of "Adam on the Net" discussing and comparing the following:
Castle Project
Spring.NET
Enterprise Library
CSLA
If I were you I would either pick Spring.NET or just start building your own framework around ASP.NET MVC and Fluent NHibernate. Then slowly add your own building blocks as and when you need them. Enterprise library blocks are good but heavy according to me and have lot of things that you may not really need.