I would like to find a tutorial that shows how to set up authentication in a
winform application similar to one that ASP.Net applications are capable of.
--
L. A. Jones

Dave,

Authentication in Windows Forms is a different beast than in ASP.NET
applications. Basically, you are going to work off the current principal
for the thread, which can be based on the user that is currently logged in
and running your app, or something completely custom.

However, once you determine how you want to authenticate your user, how
you authorize them is pretty much the same (declarative security using the
PrincipalPermissionAttribute, calling IsInRole on the IPrincipal interface
definition).

Juval Lowy has written an article which shows how to use the ASP.NET
authentication module in Windows Forms if you are interested:

http://msdn.microsoft.com/msdnmag/is...y/default.aspx


--
- Nicholas Paldino [.NET/C# MVP]
- (E-Mail Removed)

"Dave" <(E-Mail Removed)> wrote in message
news:C24B8DF6-01DD-4E9E-93DC-(E-Mail Removed)...
>I would like to find a tutorial that shows how to set up authentication in
>a
> winform application similar to one that ASP.Net applications are capable
> of.
> --
> L. A. Jones

Well let me tell you how I've implemented my application security. I have a
main form with several menu option. When a user logs in I check a sql
database to authenticate the user. Based on the outcome several menu options
will enabled or disabled. Is this a poor security technique?
--
L. A. Jones


"Nicholas Paldino [.NET/C# MVP]" wrote:

> Dave,
>
> Authentication in Windows Forms is a different beast than in ASP.NET
> applications. Basically, you are going to work off the current principal
> for the thread, which can be based on the user that is currently logged in
> and running your app, or something completely custom.
>
> However, once you determine how you want to authenticate your user, how
> you authorize them is pretty much the same (declarative security using the
> PrincipalPermissionAttribute, calling IsInRole on the IPrincipal interface
> definition).
>
> Juval Lowy has written an article which shows how to use the ASP.NET
> authentication module in Windows Forms if you are interested:
>
> http://msdn.microsoft.com/msdnmag/is...y/default.aspx
>
>
> --
> - Nicholas Paldino [.NET/C# MVP]
> - (E-Mail Removed)
>
> "Dave" <(E-Mail Removed)> wrote in message
> news:C24B8DF6-01DD-4E9E-93DC-(E-Mail Removed)...
> >I would like to find a tutorial that shows how to set up authentication in
> >a
> > winform application similar to one that ASP.Net applications are capable
> > of.
> > --
> > L. A. Jones
>

Well, there are a number of questions here.

First, how are you accessing the database? Are you doing it using
trusted security, or are you accessing it using a username/login combo?

If it is the former, then you probably should be using a windows
principal, and using the security in the operating system (windows is a
single sign on system) to authenticate your user.

If it is the latter (which if you insist on a separate sign on, it
should be), then you have to be sure that you are not storing passwords in
the database, because a malicious user could use the credentials to fetch
the passwords (encrypted or not) and try to crack them over time.

Regardless, you should be encrypting the connection string as well in
the config file (assuming that is where you keep it).

You can then create a custom implementation of IPrincipal and set the
CurrentPrincipal property on the thread which will be used when checking
methods/properties with the PrincipalPermission attribute. You will need to
implement the IsInRole method to check against your database to see what
roles the user is a part of.

Needless to say, it isn't a bad thing that you are storing user
information in the database, you just have to take certain steps to make
sure that it is secure.

--
- Nicholas Paldino [.NET/C# MVP]
- (E-Mail Removed)

"Dave" <(E-Mail Removed)> wrote in message
news:01220BFE-50DB-480B-84B1-(E-Mail Removed)...
> Well let me tell you how I've implemented my application security. I have
> a
> main form with several menu option. When a user logs in I check a sql
> database to authenticate the user. Based on the outcome several menu
> options
> will enabled or disabled. Is this a poor security technique?
> --
> L. A. Jones
>
>
> "Nicholas Paldino [.NET/C# MVP]" wrote:
>
>> Dave,
>>
>> Authentication in Windows Forms is a different beast than in ASP.NET
>> applications. Basically, you are going to work off the current principal
>> for the thread, which can be based on the user that is currently logged
>> in
>> and running your app, or something completely custom.
>>
>> However, once you determine how you want to authenticate your user,
>> how
>> you authorize them is pretty much the same (declarative security using
>> the
>> PrincipalPermissionAttribute, calling IsInRole on the IPrincipal
>> interface
>> definition).
>>
>> Juval Lowy has written an article which shows how to use the ASP.NET
>> authentication module in Windows Forms if you are interested:
>>
>> http://msdn.microsoft.com/msdnmag/is...y/default.aspx
>>
>>
>> --
>> - Nicholas Paldino [.NET/C# MVP]
>> - (E-Mail Removed)
>>
>> "Dave" <(E-Mail Removed)> wrote in message
>> news:C24B8DF6-01DD-4E9E-93DC-(E-Mail Removed)...
>> >I would like to find a tutorial that shows how to set up authentication
>> >in
>> >a
>> > winform application similar to one that ASP.Net applications are
>> > capable
>> > of.
>> > --
>> > L. A. Jones
>>

You stated ".... If it is the latter (which if you insist on a separate sign
on, it
should be), then you have to be sure that you are not storing passwords in
the database". Where would I store my password?

I have not found any basic tutorial on IPrincipal. Could you direct me to one?

Thanks.
--
L. A. Jones


"Nicholas Paldino [.NET/C# MVP]" wrote:

> Well, there are a number of questions here.
>
> First, how are you accessing the database? Are you doing it using
> trusted security, or are you accessing it using a username/login combo?
>
> If it is the former, then you probably should be using a windows
> principal, and using the security in the operating system (windows is a
> single sign on system) to authenticate your user.
>
> If it is the latter (which if you insist on a separate sign on, it
> should be), then you have to be sure that you are not storing passwords in
> the database, because a malicious user could use the credentials to fetch
> the passwords (encrypted or not) and try to crack them over time.
>
> Regardless, you should be encrypting the connection string as well in
> the config file (assuming that is where you keep it).
>
> You can then create a custom implementation of IPrincipal and set the
> CurrentPrincipal property on the thread which will be used when checking
> methods/properties with the PrincipalPermission attribute. You will need to
> implement the IsInRole method to check against your database to see what
> roles the user is a part of.
>
> Needless to say, it isn't a bad thing that you are storing user
> information in the database, you just have to take certain steps to make
> sure that it is secure.
>
> --
> - Nicholas Paldino [.NET/C# MVP]
> - (E-Mail Removed)
>
> "Dave" <(E-Mail Removed)> wrote in message
> news:01220BFE-50DB-480B-84B1-(E-Mail Removed)...
> > Well let me tell you how I've implemented my application security. I have
> > a
> > main form with several menu option. When a user logs in I check a sql
> > database to authenticate the user. Based on the outcome several menu
> > options
> > will enabled or disabled. Is this a poor security technique?
> > --
> > L. A. Jones
> >
> >
> > "Nicholas Paldino [.NET/C# MVP]" wrote:
> >
> >> Dave,
> >>
> >> Authentication in Windows Forms is a different beast than in ASP.NET
> >> applications. Basically, you are going to work off the current principal
> >> for the thread, which can be based on the user that is currently logged
> >> in
> >> and running your app, or something completely custom.
> >>
> >> However, once you determine how you want to authenticate your user,
> >> how
> >> you authorize them is pretty much the same (declarative security using
> >> the
> >> PrincipalPermissionAttribute, calling IsInRole on the IPrincipal
> >> interface
> >> definition).
> >>
> >> Juval Lowy has written an article which shows how to use the ASP.NET
> >> authentication module in Windows Forms if you are interested:
> >>
> >> http://msdn.microsoft.com/msdnmag/is...y/default.aspx
> >>
> >>
> >> --
> >> - Nicholas Paldino [.NET/C# MVP]
> >> - (E-Mail Removed)
> >>
> >> "Dave" <(E-Mail Removed)> wrote in message
> >> news:C24B8DF6-01DD-4E9E-93DC-(E-Mail Removed)...
> >> >I would like to find a tutorial that shows how to set up authentication
> >> >in
> >> >a
> >> > winform application similar to one that ASP.Net applications are
> >> > capable
> >> > of.
> >> > --
> >> > L. A. Jones
> >>
>

Dave,

You shouldn't be storing passwords at all. If anything, you should be
storing hashes of some data based on the password (usually, its against the
user name, along with a salt) and then you compare the hashes. This way,
the password can not be reverse engineered from the hash.

As for how to create a custom principal, check out the section of the
MSDN documentation titled "Walkthrough: Implementing Custom Authentication
and Authorization ", located at:

http://msdn2.microsoft.com/en-us/library/ms172766(VS.80).aspx

It's in VB, but everything can be easily converted to C#.


--
- Nicholas Paldino [.NET/C# MVP]
- (E-Mail Removed)

"Dave" <(E-Mail Removed)> wrote in message
news:1E11B330-3026-41BC-BAB3-(E-Mail Removed)...
> You stated ".... If it is the latter (which if you insist on a separate
> sign
> on, it
> should be), then you have to be sure that you are not storing passwords in
> the database". Where would I store my password?
>
> I have not found any basic tutorial on IPrincipal. Could you direct me to
> one?
>
> Thanks.
> --
> L. A. Jones
>
>
> "Nicholas Paldino [.NET/C# MVP]" wrote:
>
>> Well, there are a number of questions here.
>>
>> First, how are you accessing the database? Are you doing it using
>> trusted security, or are you accessing it using a username/login combo?
>>
>> If it is the former, then you probably should be using a windows
>> principal, and using the security in the operating system (windows is a
>> single sign on system) to authenticate your user.
>>
>> If it is the latter (which if you insist on a separate sign on, it
>> should be), then you have to be sure that you are not storing passwords
>> in
>> the database, because a malicious user could use the credentials to fetch
>> the passwords (encrypted or not) and try to crack them over time.
>>
>> Regardless, you should be encrypting the connection string as well in
>> the config file (assuming that is where you keep it).
>>
>> You can then create a custom implementation of IPrincipal and set the
>> CurrentPrincipal property on the thread which will be used when checking
>> methods/properties with the PrincipalPermission attribute. You will need
>> to
>> implement the IsInRole method to check against your database to see what
>> roles the user is a part of.
>>
>> Needless to say, it isn't a bad thing that you are storing user
>> information in the database, you just have to take certain steps to make
>> sure that it is secure.
>>
>> --
>> - Nicholas Paldino [.NET/C# MVP]
>> - (E-Mail Removed)
>>
>> "Dave" <(E-Mail Removed)> wrote in message
>> news:01220BFE-50DB-480B-84B1-(E-Mail Removed)...
>> > Well let me tell you how I've implemented my application security. I
>> > have
>> > a
>> > main form with several menu option. When a user logs in I check a sql
>> > database to authenticate the user. Based on the outcome several menu
>> > options
>> > will enabled or disabled. Is this a poor security technique?
>> > --
>> > L. A. Jones
>> >
>> >
>> > "Nicholas Paldino [.NET/C# MVP]" wrote:
>> >
>> >> Dave,
>> >>
>> >> Authentication in Windows Forms is a different beast than in
>> >> ASP.NET
>> >> applications. Basically, you are going to work off the current
>> >> principal
>> >> for the thread, which can be based on the user that is currently
>> >> logged
>> >> in
>> >> and running your app, or something completely custom.
>> >>
>> >> However, once you determine how you want to authenticate your
>> >> user,
>> >> how
>> >> you authorize them is pretty much the same (declarative security using
>> >> the
>> >> PrincipalPermissionAttribute, calling IsInRole on the IPrincipal
>> >> interface
>> >> definition).
>> >>
>> >> Juval Lowy has written an article which shows how to use the
>> >> ASP.NET
>> >> authentication module in Windows Forms if you are interested:
>> >>
>> >> http://msdn.microsoft.com/msdnmag/is...y/default.aspx
>> >>
>> >>
>> >> --
>> >> - Nicholas Paldino [.NET/C# MVP]
>> >> - (E-Mail Removed)
>> >>
>> >> "Dave" <(E-Mail Removed)> wrote in message
>> >> news:C24B8DF6-01DD-4E9E-93DC-(E-Mail Removed)...
>> >> >I would like to find a tutorial that shows how to set up
>> >> >authentication
>> >> >in
>> >> >a
>> >> > winform application similar to one that ASP.Net applications are
>> >> > capable
>> >> > of.
>> >> > --
>> >> > L. A. Jones
>> >>
>>