Current 2-tier application
ASP.NET (Membership/Roles) – BL – DAL – DB
After the user is authenticated (membership) we use roles to facilitate authorization to different menu items such as “Reporting” and “Administration”. However as part of authorization, we must also take into account response filtering. For example regardless of the user’s role, a method to retrieve a statement by id should be limited to the user being able to retrieve only the statements that belong to them via some established database relationship. To facilitate this, the web application maintains in session a profile (POCO) which is injected into each BL object (perhaps this object should have been incorporated into IIdentity). Subsequently inside BL we’re able to determine if the request for id X should indeed return a statement, because we know the user that is requesting this statement, and we know the relationship between the statement and the users that should be able to access it.
Future 3-tier application
ASP.NET (Membership/Roles) – WCF - BL – DAL – DB
Authentication seems to stay the same, the WCF service can be password secured to make sure that only our web application (or any other that has the user/password) has access to it. However how do I go about facilitating response filtering? Are there seamless mechanisms to pass ASP.NET’s IPrincipal/IIdentity to the service? If yes, how will this limit me if down the line I have a non-ASP.NET client to the same service? If not, should this information be part of the request dto or request header?
