Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>We have a very similar setup where I work. As @Mystere Man mentioned, there are risks with this setup, but if the whole infrastructure is setup and running correctly, we have found it to be a secure setup (we <em>do</em> care about security). One thing to ensure, is that the SiteMinder agent is running on the IIS node you're trying to secure, as it will validate an encrypted SMSESSION key also passed in the headers, which will make the requests secure (it would be extremely difficult to spoof the value of the SMSESSION header).</p> <p>We are using ASP.NET MVC3, which has global action filters, which is what we're using. But with MVC2, you could create a normal, controller level action filter that could be applied to a base controller class so that all of your controllers/actions will be secured.</p> <p>We have created a custom configuration section that allows us to turn this security filter on and off via web.config. If it's turned off, our configuration section has properties that will allow you to "impersonate" a given user with given roles for testing and debugging purposes. This configuration section also allows us to store the values of the header keys we're looking for in config as well, in case the vendor ever changes the header key names on us.</p> <pre><code>public class SiteMinderConfiguration : ConfigurationSection { [ConfigurationProperty("enabled", IsRequired = true)] public bool Enabled { get { return (bool)this["enabled"]; } set { this["enabled"] = value; } } [ConfigurationProperty("redirectTo", IsRequired = true)] public RedirectToElement RedirectTo { get { return (RedirectToElement)this["redirectTo"]; } set { this["redirectTo"] = value; } } [ConfigurationProperty("sessionCookieName", IsRequired = true)] public SiteMinderSessionCookieNameElement SessionCookieName { get { return (SiteMinderSessionCookieNameElement)this["sessionCookieName"]; } set { this["sessionCookieName"] = value; } } [ConfigurationProperty("userKey", IsRequired = true)] public UserKeyElement UserKey { get { return (UserKeyElement)this["userKey"]; } set { this["userKey"] = value; } } [ConfigurationProperty("rolesKey", IsRequired = true)] public RolesKeyElement RolesKey { get { return (RolesKeyElement)this["rolesKey"]; } set { this["rolesKey"] = value; } } [ConfigurationProperty("firstNameKey", IsRequired = true)] public FirstNameKeyElement FirstNameKey { get { return (FirstNameKeyElement)this["firstNameKey"]; } set { this["firstNameKey"] = value; } } [ConfigurationProperty("lastNameKey", IsRequired = true)] public LastNameKeyElement LastNameKey { get { return (LastNameKeyElement)this["lastNameKey"]; } set { this["lastNameKey"] = value; } } [ConfigurationProperty("impersonate", IsRequired = false)] public ImpersonateElement Impersonate { get { return (ImpersonateElement)this["impersonate"]; } set { this["impersonate"] = value; } } } public class SiteMinderSessionCookieNameElement : ConfigurationElement { [ConfigurationProperty("value", IsRequired = true)] public string Value { get { return (string)this["value"]; } set { this["value"] = value; } } } public class RedirectToElement : ConfigurationElement { [ConfigurationProperty("loginUrl", IsRequired = false)] public string LoginUrl { get { return (string)this["loginUrl"]; } set { this["loginUrl"] = value; } } } public class UserKeyElement : ConfigurationElement { [ConfigurationProperty("value", IsRequired = true)] public string Value { get { return (string)this["value"]; } set { this["value"] = value; } } } public class RolesKeyElement : ConfigurationElement { [ConfigurationProperty("value", IsRequired = true)] public string Value { get { return (string)this["value"]; } set { this["value"] = value; } } } public class FirstNameKeyElement : ConfigurationElement { [ConfigurationProperty("value", IsRequired = true)] public string Value { get { return (string)this["value"]; } set { this["value"] = value; } } } public class LastNameKeyElement : ConfigurationElement { [ConfigurationProperty("value", IsRequired = true)] public string Value { get { return (string)this["value"]; } set { this["value"] = value; } } } public class ImpersonateElement : ConfigurationElement { [ConfigurationProperty("username", IsRequired = false)] public UsernameElement Username { get { return (UsernameElement)this["username"]; } set { this["username"] = value; } } [ConfigurationProperty("roles", IsRequired = false)] public RolesElement Roles { get { return (RolesElement)this["roles"]; } set { this["roles"] = value; } } } public class UsernameElement : ConfigurationElement { [ConfigurationProperty("value", IsRequired = true)] public string Value { get { return (string)this["value"]; } set { this["value"] = value; } } } public class RolesElement : ConfigurationElement { [ConfigurationProperty("value", IsRequired = true)] public string Value { get { return (string)this["value"]; } set { this["value"] = value; } } } </code></pre> <p>So our web.config looks something like this</p> <pre><code>&lt;configuration&gt; &lt;configSections&gt; &lt;section name="siteMinderSecurity" type="MyApp.Web.Security.SiteMinderConfiguration, MyApp.Web" /&gt; ... &lt;/configSections&gt; ... &lt;siteMinderSecurity enabled="false"&gt; &lt;redirectTo loginUrl="https://example.com/login/?ReturnURL={0}"/&gt; &lt;sessionCookieName value="SMSESSION"/&gt; &lt;userKey value="SM_USER"/&gt; &lt;rolesKey value="SN-AD-GROUPS"/&gt; &lt;firstNameKey value="SN-AD-FIRST-NAME"/&gt; &lt;lastNameKey value="SN-AD-LAST-NAME"/&gt; &lt;impersonate&gt; &lt;username value="ImpersonateMe" /&gt; &lt;roles value="Role1, Role2, Role3" /&gt; &lt;/impersonate&gt; &lt;/siteMinderSecurity&gt; ... &lt;/configuration&gt; </code></pre> <p>We have a custom SiteMinderIdentity...</p> <pre><code>public class SiteMinderIdentity : GenericIdentity, IIdentity { public SiteMinderIdentity(string name, string type) : base(name, type) { } public IList&lt;string&gt; Roles { get; set; } } </code></pre> <p>And a custom SiteMinderPrincipal...</p> <pre><code>public class SiteMinderPrincipal : GenericPrincipal, IPrincipal { public SiteMinderPrincipal(IIdentity identity) : base(identity, null) { } public SiteMinderPrincipal(IIdentity identity, string[] roles) : base(identity, roles) { } } </code></pre> <p>And we populate <code>HttpContext.Current.User</code> and <code>Thread.CurrentPrincipal</code> with an instance of <code>SiteMinderPrincipal</code> that we build up based on information that we pull from the request headers in our action filter...</p> <pre><code>public class SiteMinderSecurity : ActionFilterAttribute { public override void OnActionExecuting(ActionExecutingContext filterContext) { base.OnActionExecuting(filterContext); var request = filterContext.HttpContext.Request; var response = filterContext.HttpContext.Response; if (MyApp.SiteMinderConfig.Enabled) { string[] userRoles = null; // default to null userRoles = Array.ConvertAll(request.Headers[MyApp.SiteMinderConfig.RolesKey.Value].Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries), r =&gt; r.Trim()); var identity = new SiteMinderIdentity(request.Headers[MyApp.SiteMinderConfig.UserKey.Value];, "SiteMinder"); if (userRoles != null) identity.Roles = userRoles.ToList(); var principal = new SiteMinderPrincipal(identity, userRoles); HttpContext.Current.User = principal; Thread.CurrentPrincipal = principal; } else { var roles = Array.ConvertAll(MyApp.SiteMinderConfig.Impersonate.Roles.Value.Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries), r =&gt; r.Trim()); var identity = new SiteMinderIdentity(MyApp.SiteMinderConfig.Impersonate.Username.Value, "SiteMinder") { Roles = roles.ToList() }; var principal = new SiteMinderPrincipal(identity, roles); HttpContext.Current.User = principal; Thread.CurrentPrincipal = principal; } } } </code></pre> <p><code>MyApp</code> is a static class that gets initialized at application startup that caches the configuration information so we're not reading it from web.config on every request...</p> <pre><code>public static class MyApp { private static bool _isInitialized; private static object _lock; static MyApp() { _lock = new object(); } private static void Initialize() { if (!_isInitialized) { lock (_lock) { if (!_isInitialized) { // Initialize application version number _version = FileVersionInfo.GetVersionInfo(Assembly.GetExecutingAssembly().Location).FileVersion; _siteMinderConfig = (SiteMinderConfiguration)ConfigurationManager.GetSection("siteMinderSecurity"); _isInitialized = true; } } } } private static string _version; public static string Version { get { Initialize(); return _version; } } private static SiteMinderConfiguration _siteMinderConfig; public static SiteMinderConfiguration SiteMinderConfig { get { Initialize(); return _siteMinderConfig; } } } </code></pre> <p>From what I gather of your situation, you have information in a database that you'll need to lookup based on the information in the headers to get everything you need, so this won't be exactly what you need, but it seems like it should at least get you started.</p> <p>Hope this helps.</p>
    singulars
    1. This table or related slice is empty.
    1. POASP.NET MVC 2 Authorization with Gateway Page
      singulars
      1. PTQuestion
    1. PTAnswer
    1. This table or related slice is empty.
    1. USBob Yexley
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POASP.NET MVC 2 Authorization with Gateway Page
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COThanks for the incredibly thorough answer! I especially like the impersonation options in the web.config, and the Multithreaded Singleton pattern, which I had to look up (http://msdn.microsoft.com/en-us/library/ff650316.aspx). This solution fits our situation really well.
      singulars
      1. PO
      1. USIshmael Smyrnow
    2. COCurrently, I've got an HTTP Module doing something similar in the OnAuthorization event. Is there a benefit to doing it in OnActionExecuting, or to using an Action Filter instead of the HTTP Module?
      singulars
      1. PO
      1. USIshmael Smyrnow
    3. CO@bob, I would love to know whether or not you've changed your approach in the past year, and also what else you had to do in the IIS configuration and web.config to get this to work. In other words, is this strategy still valid?
      singulars
      1. PO
      1. USMikeC
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload