.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

oops, security oversight - how to *correctly* design this?

Posted By:      Posted Date: October 27, 2010    Points: 0   Category :ASP.Net


here's the scenario... company has lots of existing reports that they pull from their own system and don't want to recreate them in their web app. Instead, I'm creating a way for them to manage uploading these reports (their system creates the pdf files, I just need to provide them the interface to upload/manage them, and of course the user facing interface to retrieve them). 

I thought I had it all worked out until I realized that even though using my interface (the web app) users will only ever see the reports they are allowed to see, there is currently nothing stopping a user from directly downloading a report file they are not supposed to if they know the path and file name.

Example folder structure on server for the uploads:


so, only users that have a matching clientID associated with their accounts should be able to access the files within the folder matching that clientID... and user accounts *can* have multiple clientID's associated with their account. I have no problem make this happend within my web UI, but again, if a user knew the actual path, they could access other client's reports, which obviously is ver

View Complete Post

More Related Resource Links

Threat Modeling: Uncover Security Design Flaws Using The STRIDE Approach


Whenever you build a new system you should consider how an in¬truder might go about attacking it and then build in appropriate defenses at design time.

Shawn Hernan, Scott Lambert, Tomasz Ostwald, Adam Shostack

MSDN Magazine November 2006

Secure By Design: Your Field Guide To Designing Security Into Networking Protocols


If you were to build a new communications protocol from scratch, how would you address security? Here the authors take a look at that question and generate some valuable insights into secure protocols.

Mark Novak and Andrew Roths

MSDN Magazine September 2006

SSAS 2008 - Security Architecture Design?


Hi, I would like to know BEST way to design SSAS 2008 security architecture for my organization.

I have different data sources in SQL Server 2008 and those ETL store data into datawarehouse (dimension, fact) and then I create cube on that dw. What I want to do is BEST way to desgin SECURITY architecture to browse cube as per ORGANIZATION CHART.

Like we have different companies >>> divided into Division >>> SubDivisions >>> Business Stream >>> Region (i.e. west, east) >>> .....

For example if person has WEST REGION access than he can only see WEST region not the other region but he need access to correct COMPANY >> DIVISON >> SUBDIVISION >> BUSINESS STREAM >> REGION - WEST only.

Please someone can provide BEST possible solution/ideas to design this sort of SECURITY architecture. Thank You.

design strategy to overcome a server side control that can be manipulated by the client - (Security


Ok so we have a dot net aspx app whereby we have some server side button controls which in some states may be disabled

However per Internet Explorer a user could  go to the developer tools and change / delete the disabled property of the button and then click the button to fire the action event.

What would be the best recommended strategy to prevent this.

many thanks

Abstract Factory Design in C# , Vb.NET

Provide an interface for creating families of related or dependent objects without specifying their concrete classes

Prototype Design Pattern in C#. Vb.NET

Specify the kind of objects to create using a prototypical instance, and create new objects by copying this prototype

Adapter Design Pattern in C#, VB.NET

Convert the interface of a class into another interface clients expect. Adapter lets classes work together that couldn't otherwise because of incompatible interfaces.

Singleton Design Pattern in C#, Vb.NET

Ensure a class has only one instance and provide a global point of access to it.

SharePoint Tutorial - Security

Security in SharePoint is comprised of users, groups and roles.

Users, Groups and Roles

A user account comes from the authentication system. For example, if Active Directory is used to authenticate then the user accounts will come from it.

There are two types of groups SharePoint uses: domain groups and SharePoint groups.

Solidify Your C# Application Architecture with Design Patterns

design pattern can solve many problems by providing a framework for building an application. Design patterns, which make the design process cleaner and more efficient, are especially well-suited for use in C# development because it is an object-oriented language. Existing design patterns make good templates for your objects, allowing you to build software faster. This article describes several popular design patterns you can use in your own applications, including the singleton, the decorator, the composite, and the state classes, which can improve the extensibility of your applications and the reuse of your objects.

What Are Design Patterns and Do I Need Them?

Software professionals may be familiar with the term "Design Patterns," but many have no idea of where they come from and what they truly are. Consequently, some do not see the value and benefits design patterns bring to the software development process, especially in the areas of maintenance and code reuse.

Design Patterns for .NET

It is not the intent of the Design Pattern Series to focus on providing a theoretical knowledge dump of all there is to know about design patterns. There are many books that do that already. Instead, this series will focus on providing lots of practical examples. However, there will be some theory to help address important points concerning design patterns. I use the theory of design patterns mostly as a guide and instead make references to good design pattern books for more detail explanation.

Singleton Design Pattern in Asp.net using C#

When we want to make a only one instance of a class and also making sure that there is a global access point to that object then the design pattern we user is called Singleton. The pattern ensures that the class is instantiated only once and that all requests are directed to that one and only object.

The Factory Design Pattern

Software architects generally think in terms of high-level abstractions rather than low-level programming details. Representing a system in terms of high-level abstractions promotes understanding of the system and reduces its perceived complexity. One such set of abstractions is software design patterns. They have been successfully applied in the past to simplify and solve recurring problems in software design.

Abstract Factory Design Pattern (Sample in C# and VB .NET)

An abstract factory provides an interface for creating families of related objects without specifying their concrete classes. Sometimes one wants to construct an instance of one of a suite of classes, deciding between the classes at the time of instantiation. In order to avoid duplicating the decision making everywhere an instance is created, we need a mechanism for creating instances of related classes without necessarily knowing which will be instantiated.

GOF Creational Design Patterns with C#

The GOF design patterns help address the following challenges :

design ready to accommodate change & growth

design flexible systems which come ready to handle reconfiguration and run time tailoring

code in manner to facilitate reuse during the development and extension phases ... ie. both external and internal reuse, so that we are rewarded by efficiencies as the project progresses, coming from investments made earlier in the project.

implement change in a way that doesn't overly shorten the system's useful lifespan

Design Patterns - Using the State Pattern in C#

What is the State Pattern?

The State Pattern is a behavioral pattern that can be used to alter the behavior of an object at run time. As the state of an object changes, the functionality of the object can change drastically. This change of behavior is hidden from the Client and the Client interfaces with a wrapper object known as the Context. The State Pattern is a dynamic version of the Strategy Pattern.
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend