Database security

Database security

Old forum URL: forums.lhotka.net/forums/t/1601.aspx

Skyguard posted on Thursday, October 26, 2006

Hello,

First off, I am a complete newbie to the CSLA framework. I have picked up the C# 2.0 bus objs book but I haven't finished reading it yet. I have also very limited experience with the core CSLA code.

I have been looking at the sample project provided with the framework and noticed that there are 2 databases used for the app. One for the application tables and another for the security. I think I understand the concept of limiting access so that a person who can create user accounts, assign roles, etc. in one db doesn't necessarily have any access in the other db (say for example in a payroll app) so you would segregate the access and make it theoretically more difficult to 'crack'... however... how can you have any integrity between the application user (id) and the application tables? (i.e. if I have a Createdby and ModifiedBy field (of type int) and I want a foreign key back to the UserID on the Users table, I can't do it because I have two databases... to my knowledge you cannot have foreign key integrity between 2 tables on different database instances... so the application database has to take it for granted that the user id actually exists... the only way I see around this is to have trigger integrity between the security database and the application database... (so that if the security users table gets modified, it propogates to a "short table" in the application database) but I don't think trigger integrity is too good of an idea... any thoughts on this?

As I said I am a newb to the CSLA and haven't looked at the guts yet to see how security is done (nor have I read the book about it either)... just wondering if I am missing something or what...

Thanks,
PL

Brian Criswell replied on Thursday, October 26, 2006

I personally see those kind of fields as historical information.  In my databases, the historical information that is lookup based (tables of users, selection lists for combo boxes, etc.) is written into the history tables/columns as text rather than the unique ids so that I can see what the information looked like at the time of the change.  So at the time of the change, you write the user name to the field and do not bother with referential integrity.  If the user name can change, I want to know the user name at the time of the change.  If the user name cannot change, then you can still join on the user name.  Not using ids with foreign key constraints also allows me to delete users.

The main reason for the separation of databases in the CSLA example, however, is to show that you can get that information from a separate source without difficulties whether it is a table in the same database, conversion of SQL server users and roles, or reading from an Active Directory.  That way you can use existing security structures and not have to duplicate them, or it may be a situation where you must use an existing security source and may not modify it.  As a side note, realising that the security can come from a separate source, it is then a simpler step to realise that any of your objects can come from different data sources whilst still behaving similarly as objects, and users of your objects will be oblivious to the difference.

So back to your question.  If there is not already a security data source in place, go ahead and make security tables in your main database.  If your database is cracked, they are already going to have your data.  And it is up to you as to whether having foreign keys back to your user table really adds the value to make it worth it.

SonOfPirate replied on Thursday, October 26, 2006

As Brian says, the use of separate databases in the book and sample application is to demonstrate the capabilities of the framework.  As for implementing in this fashion with the need to enforce referential integrity, well now you're talking about a DB design issue and there are a number of solutions.  I believe, but may be mistaken, that SQL Server does allow you to have foreign key relationships with tables contained in another db - but again, I could be mistaken.

Anyway, a good way to think about this from a framework standpoint, and to possibly help your thinking about referential integrity a bit, is to look at an application using "integrated" security - i.e. the user information comes from the OS, possibly Active Directory.  We do a lot of these applications and there is no way to enforce referential integrity in the db when the user's identity comes from outside that data store.  (We have another case where the user information comes from Active Directory, their employee profile data is contained in an Oracle database but the applications are all written to use SQL Server!).

The point is that under these circumstances you have no choice but to evaluate this and how you are to maintain referential integrity.

Well, go back to the initial chapters of the book where Rocky discusses a lot of the decisions that were made and optional paths he could have taken.  One of the first questions any design team faces when developing a data-driven application is where to put the logic.  With CSLA, while making use of stored procedures in the database (for reasons stated in the book), the decision was made to encapsulate the logic - or business rules - into our objects rather than in the sprocs.  When you consider that referential integrity is really just another business rule (although it has other implications as well), it then becomes logical that enforcement should also fall to your business objects.

In our case, we have no choice but to store the user's login name (Identity.Name) in our database tables because that's all we have to work with.  But, from that, we are able to retrieve the information from all three data sources - which is our goal.  Is there anything that says that the user listed in the CreatedBy field still exists in Active Directory when that record is retrieved?  No.  But do they really need to be?  The answer may be "yes" depending on your use case, but if it is just a tag for traceability, the user name tends to be enough.  And if not, you can create a lookup table in your database that relates the user name to their actual name and whatever else you feel must be persisted in your application.  And, in our case, if for some reason their profile is no longer available in the Oracle database, the link to access this information is disabled.

Should you be in the position to work within a single data store, then the decision to split databases should be based on security and possibly loading concerns.  In the case of the latter, I think today's database servers are able to put aside many of the issues that us old-timers had to deal with so it really boils down to what security you'll have on the db.  You may have many DBA's running around with different security levels and feel that isolating the more sensative information calls for a segregated design.  That's fine and you can use the same approach as above and everything will work well.  On the other hand, today's databases also implement much more thorough security models that allow you to fine tune access right down to the object level so there isn't that much gained by splitting the databases.

But, to digress, the point of doing so in the book and example was, again, to demonstrate that you can develop an application that combines data from multiple, disparate sources.  Whether you actually do so or not depends on you, the requirements of your applications and the environments you find yourself working in.

Hope that helps.

 

Copyright (c) Marimer LLC