.net c # what is the best practice to keep each method safe?
I have a web project with a business layer that handles some data operations. I would like to protect some or all of the methods by checking if there is an active incomplete valid one Session
before executing the method.
At first I thought of using Attribute
above class, but I was unable to run it correctly. Since the class is a regular class and does not derive from System.Web.Page
. the attribute class is never run when the requested BL instance is called. In addition, some of the methods may not require a valid session, so the entire class may not need complete security. And also adding a line that checks the session at every start of the method is not very promising.
If you ask me why I need to defend by method, I could explain the following:
- This is a web project
- The face may start by filling, but at that moment it was not saved.
- This screen waits for about 30 minutes, say
- The session has already ended.
- The user goes back to the computer and presses the SAVE button , but the process should NOT be completed.
The save operation can be easily performed DELETE
or SELECT
.
Since there are many types of forms, etc., I have BL.ItemManager
, BL.VideoManager
, BL.ServiceManager
etc. So, these classes have many options for save, delete and select.
So is there a neat way to secure some methods by checking the session before starting the process
source to share
You can use an aspect-oriented approach; PostSharp might be an option.
All you have to do is create an atrribute attribute using PostSharp to inject the code before calling the method to check if the session is alive. Something like:
[SessionAlive]
public void SomeMethod()
Or you can just use the method Session_End
in the Global.asax file or just use javascript code to redirect the redirect to the login page .
source to share
AOP is a great way for your requirement. You can use PostSharp and Castle DynamicProxy. This framework allows you to intercept method calls and you can perform security checks in the hooks.
The biggest technical difference between PostSharp and Castle DynamicProxy is PostSharp modifies your IL, where Castle DynamicProxy derives your class's type and gives you an instance of the new one obtained at runtime. This means that when you decompile code that uses PostSharp, you see some other code that is not written in the original C Sharp code.
If you choose the DynamicProxy approach, you must instantiate your classes through a factory, but if you prefer PostSharp you can use your classes directly. All you need is to add some attributes. On the other hand, PostSharp is not free.
Finally, you can implement DynamicProxy yourself. Here is a simple DynamicProxy generator I wrote. You can handle call before / after call and error events. This is just a sample code, and if you plan to use it in an important application, you should prefer a lock.
source to share
Another possibility is to use Castle Dynamic proxy - wrap your service with it. A dynamic proxy allows you to intercept method calls and wrap them in some general behavior - you can only intercept specific methods you want and add session validation.
Dynamic proxy is free unlike postsharp.
source to share
AOP is definitely the way to go for it. In addition to the general purpose AOP frameworks already suggested in other answers, you might be interested to know that the .NET framework includes an AOP mechanism for this type of security checks. To use it, simply create (and use) an attribute that inherits from CodeAccessSecurityAttribute as well as IPermission that it can use to validate the session.
source to share