Hi,

Are you planning on securing requests from the DAL or the BL

If so do you mean code access security

Please explain your purpose.

Regards,

Hi,

I don't think that ws is an issue here.

It is about layers. It is true that wse can supply you the security (using username token for example), but the performance will be bad. Maybe you need to implement your own custom security provider.

Regards,

thanks for your reply. We are considering to authrize actions (methods) on the BL. we may want to know inthe DAL who the user is so we can log the last modifer.

Hi,

I think this depends so much on your design, in other words your case is very general, if you have gone through designing your system please elaborate, for example you said we need to log the last modifier, as per my perception you can build a base class for all your business objects or DAL classes and add a member such as LastModifiedBy which refers to UserID in Users database table, or in other way you can opt for building a permission class then you can build a permission collection that can be exposed as a member to User Business Object, etc..

So please elaborate!

Regards,

In other words, you're not trying to secure data but rather are interested in auditing. Auditing is one part of an overall security methodology, but you should be clear about what threats you intend to handle, and which ones are out of scope.

With that said, in order to log which user did what, you need to have that information available. The design for this functionality differs between Win and Web scenarios, although you could come up with a unified design if you ignore most of the things that come out of the box with .net.

So, given that you have this information available in your DAL, the question is whether you want your DAL to have to deal with this. You could come up with a design where each user in the system gets a user opened for him in the DB, and the connection you'd open to the DB would use that users credentials in the connection string. THen you could let manage the auditing entirely in the DB. On the other hand, this would have performance implications that may not fit your application's non-functional requirements.

As always, there is no one answer. You need to balance ease of development, maintainability, performance, etc.

Hope that helps.

We are designing an application with sevreal layers. Data Business Logic Services Client - Gui ASP.NET or WebServices Wea re thinking of authorization in the BL and maybe in the Data layer. our problem is tramsfering the current data between the layers in an easy way. Any ideas

I don't think you need to re-authorize between layers unless you are crossing a process or computer boundary (i.e. these are actually tiers and not layers)

Arnon