R
RMT
Hi, my application goes like this:
Windows Forms (client)
|
|
|
ASP.NET (IIS 5.0) or APACHE (vanilla SOAP for example)
|
|
|
SQL Server, DB2, MySQL, Oracle, (whatever)
My schema on the database contains a "Users" table, which contains bits set
or cleared according to whether that user can execute the given method, e.g.
"dbo.DeleteNode" stored procedure can only be executed by a user with this
bit set in a field in the Users table. I don't want to use ASP.NET
security model, basically because I will be writing a generic SOAP concrete
class to be returned from my ConnectionFactory class and I won't know it's a
Windows server at the other end. What I want to do, if you people think it
sounds reasonable, is to just pass a username/password with every method I
attempt to execute, to be authenticated by the stored procedure against the
database.
Question 1: Is this a reasonable security model? i.e. just a single U/P
evaluated inside a stored procedure on the database.
Question 2: In order to pass the username/password safely, I have to host it
with HTTPS, correct?
Question 3: If I don't use HTTPS, how can I achieve encryption/decryption?
Question 4: What are the implications for allowing anonymous access, but
stopping unauthorized access inside the stored procedure?
Question 5: Is this a flimsy model and should I have another layer of
security somewhere?
Question 6: What if as well as sending a username/password, I sent a network
card address (unique!)
To be honest, I find security a nightmare to think about - especially with
all of the options available, it's complexity in some scenarios and what
goes on in the underlying system that I don't see (ie. Windows
Authentication, how does that work?). I have a large brain it's true, but
the Security Lobe is rather atrophied. Can I have some advice here please?
Thanks,
Robin.
Windows Forms (client)
|
|
|
ASP.NET (IIS 5.0) or APACHE (vanilla SOAP for example)
|
|
|
SQL Server, DB2, MySQL, Oracle, (whatever)
My schema on the database contains a "Users" table, which contains bits set
or cleared according to whether that user can execute the given method, e.g.
"dbo.DeleteNode" stored procedure can only be executed by a user with this
bit set in a field in the Users table. I don't want to use ASP.NET
security model, basically because I will be writing a generic SOAP concrete
class to be returned from my ConnectionFactory class and I won't know it's a
Windows server at the other end. What I want to do, if you people think it
sounds reasonable, is to just pass a username/password with every method I
attempt to execute, to be authenticated by the stored procedure against the
database.
Question 1: Is this a reasonable security model? i.e. just a single U/P
evaluated inside a stored procedure on the database.
Question 2: In order to pass the username/password safely, I have to host it
with HTTPS, correct?
Question 3: If I don't use HTTPS, how can I achieve encryption/decryption?
Question 4: What are the implications for allowing anonymous access, but
stopping unauthorized access inside the stored procedure?
Question 5: Is this a flimsy model and should I have another layer of
security somewhere?
Question 6: What if as well as sending a username/password, I sent a network
card address (unique!)
To be honest, I find security a nightmare to think about - especially with
all of the options available, it's complexity in some scenarios and what
goes on in the underlying system that I don't see (ie. Windows
Authentication, how does that work?). I have a large brain it's true, but
the Security Lobe is rather atrophied. Can I have some advice here please?
Thanks,
Robin.
