ApplicationContext.User with Active Directory-based security

ApplicationContext.User with Active Directory-based security

Old forum URL: forums.lhotka.net/forums/t/10548.aspx


TSF posted on Thursday, July 21, 2011

I'm using Active Directory for security, and I read in Rocky's e-book that with Windows security (unless Kerberos is enabled), the identity can take only one hop.  Because of this, I'm trying to figure out the best place in the BO for using the Csla.ApplicationContext.User.Identity.Name property in order to pass along the User ID to the database for recording the transaction history.

Would the factory methods be the best place to reference this User ID property?  It would seem that regardless of whether we deployed as a 3-tier or 4-tier (physical) the factory methods would always be at most one network hop away from the user.  The facotry methods would then pass the user ID as a string to the DAL.

Or does this differ depending on whether it is a WPF vs Silverlight app?  Thanks.

RockfordLhotka replied on Thursday, July 21, 2011

In a 3-tier deployment, the "hop" is usually from the client workstation (where the user logged in) to the app server. So the app server (DataPortal_XYZ or object factory) methods will have access to the user's Windows identity. Basically, in most Windows apps, any code running on the app server has access to the user's identity.

The problem is that the app server can't impersonate the Windows user when calling the database server, because that would be a second "hop".

A 4-tier Silverlight app is different, because the first hop is from the browser to the web server, so the Windows identity can't flow to the app server. But in reality this is rarely an issue, because most 4-tier deployments are done for security reasons, and the user is usually not authenticating against AD in such apps. But if your app is 4-tier and does use AD to authenticate the end user's browser session, then you are limited to having the identity in the browser and web server only.

In that case, the last normal CSLA code you can write to get the identity is in an inspector object that runs on the web server. This involves the use of the MobileFactory attribute, and is described in the ebook series.

Copyright (c) Marimer LLC