Contents tagged with security

  • Beyond Role Based Authorization in ASPNET MVC

    A fairly frequent requirement in applications is to check for authorization to perform an action.  At the most basic level, this might just involve seeing if the user is authenticated (at all) or checking a flag to see if they are an Admin.  However, more complex requirements frequently include a variety of roles, and it’s quite common for the notion of ownership to be involved as well, with some actions being allowed if you own the item being worked on, and otherwise not.  I’ve written about using the notion of Privileges over Role Checks for this exact purpose in the past, as a way to ensure the logic of such decisions is properly encapsulated so that you can follow the … more

  • Favor Privileges over Role Checks

    A very common practice in web applications, especially those written using the ASP.NET built-in Role provider (circa ASP.NET 2.0 / 2005), is to perform role checks throughout the code to determine whether a user should have access to a particular page or control or command.  For instance, you might see something like this:

    if (CurrentUser.IsInRole(Roles.Administrators) ||

    CurrentUser.IsInRole(Roles.SalesAgents))

    {

    SomeSpecialControl.Visible = true;

    }

    The problems with the maintainability of this approach become apparent after a short while.  For one, any buttons or other controls on the SomeSpecialControl above that post back to the page should … more

  • Hosting Company Breached

    Fasthosts, "the UK's number 1 web host" (by self acclamation I'm sure) is in the news today because apparently all of their customers' passwords (in plaintext) were compromised by a security breach.  They've asked all of their customers to change their passwords immediately, and of course since many people use the same passwords on multiple web sites, the breadth of this breach could be quite large. I first heard about this on Brad Kingsley's blog, and I have to share Brad's thoughts on the one thing Fasthosts said that makes no sense whatsoever (and if you read the comments on the Register article you can see most people share this opinion).  They claimed: "Historically, … more

  • Slashdot Acknowledges Vista More Secure Than Linux

    Wow, even Slashdot, anti-Microsoft capital of the Web, acknowledges that six months after its release, Vista Security is still besting Linux.  From the site: "Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This time he did what the Linux community had asked. Everyone complained that he did the report based on a full Linux distro including optional components, not on just a base OS install. So this time he did both; Vista still came out on top. I was shocked that Apple was even on the list as I believed all those Mac commercials!" Full story. Oddly the … more