Building a generic security framework

Its a mind blowing fact that despite the countless libraries and frameworks available for the ASP.NET platform there still doesn’t appear to be any options regarding a plug and play security framework.

This is now the second time I have had to build a security framework for my applications and each and every time it seems to prove just as frustrating as the last. For every generic implementation I am able to concoct and two steps forward that I take, I am subsequently pulled 3 steps back when I confront a requirement that simply doesn’t fit anywhere within my implementation.

Despite my issues I do however have some tips.

Use a generic approach

  1. It may initially seem an like overwhelmingly complicated problem to solve generically but it isn’t, just like most things in our field it needs to be solved using a staggered approach.
  2. Start by implementing only the most basic functionality (Edit and View for example) and slowly move to more complicated requirements (If this value is x this control is enabled, if this value is y this control is hidden). Slowly as you solve these problems generically, you will build an overall solution.
  3. Testing a non generic approach is nearly impossible and will cost you much more in the long run.

Use bitwise operations (flag enumerations)

  1. I have tried both an approach with and without flags and I can confidently say that the code in the latter is cleaner and more understandable (even if it does make DBAs go mad)

Create a separation of permissions in the following way

  • Groups
  • Page Level Permissions
  • Control Level Permissions
  1. Groups are your standard security groups as with any other application.
  2. Page level permissions are the permissions that are tied to a single page or a group of pages and will typically only require View, Create, Edit, Delete functionality.
  3. Control level permissions are usually where things get tricky, these can require any number of ‘truths’ to either enable or show the control and the logic to express this can become very convoluted. I approach this part of the problem with the idea of invoking defined methods (that are linked by control names) that perform the required validation returning either true or false.

The above separation will cover just about any scenario you can envisage and if implemented with even the smallest of foresight should be enough for the basis of any generic security framework. Having said that, if anyone wants to become another Telerik, go get started on this project immediately…