Hi there,
When conecting to a MS SQL Server 2005, I could define in my connection string Windows Authentication.
What account it will be used? The one used by IIS (I still don't know the user ASP.net runs, if it is independent of IIS or not)?
And if I whant that some aspx pages have diferente acess rights? I need to use SQL Server Authentication with diferent users created in MS SQL Server right?
In ASP.net, what is best practice: Have one SQL account, and make users access rights in Business Logic, or have different SQL Accounts por the diferent access rights I whant in every page?
Sorry if this are basic questions, but In the find's I made, I saw very confusion ideas.
Thanks in advance, and sorry my english.
Alberto Ferreira
Hi Alberto,
ASP.NET runs under the ASPNET account (you can check under users to get more info about this account)
Unlike Client Server application. You dont have to follow the same logic in Web application.
You have to implement a Forms Authentication for authentication and implement GenericPrincipal containing IPrincipal and IIdentity for authorization.
In that you would create your Custom Screen Permission or Screen-Screen Action permission lookup table. You would find plenty of articles on this.
For connection pooling to take place the connection string has to be the same so in ASP.NET we reuse the same user name and password but we control the security at the application level than the database level which we previously used to do.
And never mind the english
Happy Programming
Anton
No comments:
Post a Comment