Purpose: This document describes the differences between security on a web project and security within a Windows project.
Differences in Web Security
Security within a web project is different than security within a Windows project in the following ways:
- CurrentUser - SecurityBasics.CurrentUser must be configured to store an ISecurityUser object for each session.
- Maintenance Forms - To maintain users, roles, and restriction sets, you must either create custom web-based maintenance forms or use the winform-based maintenance forms provided.
- Object Permissions - Object permission function much the same as when using winforms, with the primary exception being the lack of form-level security keys.
- Session Locking - Session locking is not supported within web applications.
- Programmatic Access - Programmatic access within a web project is exactly the same as within a Windows project.
CurrentUser
When using security on the web, the SecurityBasics.CurrentUser property must be configured to store a different ISecurityUser object for each session, rather than just one for the whole AppDomain.
This is accomplished via a configuration setting which indicates that the application is being run within a web environment. This tells the CurrentUser property to use the current session object to retrieve and store the current ISecurityUser. For more information, refer to the Required Global.asax Code topic.
Maintenance Forms
No user, role, or restriction set maintenance forms are available for web projects. Therefore, all users, roles, and selected permissions must either be set using the SecurityDialog in a windows form, or must be set via custom forms created within your web project to maintain user permissions and roles.
Object Permissions
Web-based object permissions function as follows:
- Field-Level - All field-level permissions work identically on WebForms controls as they do on their corresponding WinForm controls.
- Business Object-Level - Business object-level permissions work the same as well, but the forms will not automatically handle the SecurityDenied event of the business objects.
- Form-Level - There is no form-level security key, so permissions must be checked programmatically to prevent the viewing of a complete WebForm.
Session Locking
Session locking is not supported within web applications.
Programmatic Access
Programmatic access within a web project is exactly the same as within a Windows project. The CurrentUser object can be queried for available permissions, and the proper ISecurityUser object will be returned from the CurrentUser property.