Quantcast
Channel: MSDN Blogs
Viewing all 29128 articles
Browse latest View live

Starting the Service Fabric Local Cluster Manager

0
0
I have had to start the Service Fabric Cluster Manager a few times without starting Visual Studio and deploying the application for talks or demos. Since the Cluster Manager is a separate process there is no need to run Visual Studio, simply: ...read more...(read more)

Using a Gamepad for HTML5 projects

0
0
The HTML5 gamepad API allows you interact with the web browser through a traditional gamepad, whether it is from Microsoft, Sony, or some other third party product. Bear in mind that it is an experimental technology, so that means it isn’t implemented in every browser (yet). Mozilla has some fantastic docs and examples for the… The post Using a Gamepad for HTML5 projects appeared first on Dave Voyles | Tech Evangelist at Microsoft ....(read more)

Guia Politicamente Incorreto da Economia Brasileira – Leandro Narloch

0
0
Leandro Narloch é um jornalista e escritor brasileiro. Foi reporter da revista Veja e editor das revistas Aventuras na História e Superinteressante. O livro procurar derrubar alguns mitos e modelos mentais de que o estado "papai" é algo bom para a prosperidade ...read more...(read more)

SQL Server のライセンスが Azure Virtual Machines で簡単に利用可能に

0
0
執筆者: Khalid Mouss (Senior Program Manager, Microsoft Az... ...read more...(read more)

クラウド コンピューティング時代の迅速な規制対応とは

0
0
執筆者: Matt Rathbun (Cloud Security Director, Cloud Health & Security Engineering) このポストは、5 月 26 日に投稿された Achieving regulatory agility in the era of cloud computing の翻訳です。   2016 年 3 月 28 日、FedRAMP の合同認定委員会 (JAB) により新たな認定プロセス「FedRAMP Accelerated ...read more...(read more)

Key Vault を利用した Web Apps cerfiticate のデプロイ

0
0
2016年5月25日 [Deploying a Web Apps certificate through Ke… ...read more...(read more)

Integrating ASP.NET Core with Service Fabric using ICommunicationListener

0
0
At the time of writing there is no official template for integrating ASP.NET Core (RC2) with Service Fabric in a Stateless Service so I though I would dive in and see if I could get it to work by looking at the ASP.NET 4.6 Web API Template that is currently ...read more...(read more)

一般提供開始:Azure Portal での Azure Backup

0
0
2016年5月26日 [General availability: Azure Backup in the A… ...read more...(read more)

西日本における、Azure Virtual Machines および Azure Cloud Services 向け新世代Dシリーズインスタンス

0
0
2016年5月26日 [New generation of D-Series instances for Az… ...read more...(read more)

Azure Web App ギャラリーは、今後、Azure Marketplace のみをサポートします

0
0
2016年5月26日 [Azure Web Apps Gallery now supported only i… ...read more...(read more)

Issue with renaming folder while mapping the drive

0
0

Here, I have faced an interesting issue which I wanted to share.

I was trying to map my share point site with the mapped drive. I was able to map but every time I was trying to create the folder and then trying to rename it, it was giving me an error

"The file name you specified is not valid or too long. Specify a different file name". I was just having one folder in the site, still this error was occurring. Here I found the solution, and its a tricky one:

 

Example, Rather than mapping to https://test.com/Shared%20Documents, map to 

\\test.com@ssl\Shared Documents\

 

Please make sure to replace %20 with space.

 

Hope this article will help you.

Running Scripts Pre and Post Publish in ASP.NET Core RC2

0
0
This week I ran into an issue when deploying a Service Fabric service where a library file was not being copied to the output directory . Since I am using ASP.NET Core for my API layer in the Service Fabric project, I had to go dig around to figure out ...read more...(read more)

Service Fabric ASP.NET Core could not load file or assembly ServiceFabricServiceModel

0
0
After adding a reference to retrieve a Service Fabric Actor to my ASP.NET Core Web API project I got the following error when making the call to create the actor using IMyActor actor = ActorProxy.Create<IMyActor>(actorId, serviceuri); : ...read more...(read more)

AzureAD が 2016 Gartner Magic Quadrant の IDaaS 部門で「Leader」に選出

0
0
執筆者: Alex_SimonsMS (Azure Active Directory, Identity &a... ...read more...(read more)

Azure Redis Cache:リソースマネージャーベースの仮想ネットワーク向け一般提供開始

0
0
2016年6月1日 [Azure Redis Cache: General availability of s… ...read more...(read more)

プレビューアップデート:

0
0
2016年6月1日 [Preview update: DocumentDB protocol support … ...read more...(read more)

一般提供開始:IntelliJ 向け HDInsight ツール

0
0
2016年6月6日 [General availability: HDInsight Tools for In… ...read more...(read more)

Azure SQL Data Warehouse:Premium ストレージのご紹介

0
0
2016年6月6日 [Azure SQL Data Warehouse: Introducing Premiu… ...read more...(read more)

Próximos Eventos :: Data Analytics to Data Science

0
0
No início deste ano, nós passamos dois meses alocados diretamente no Vale do Silício buscando ainda mais conhecimento e novidades na área de Data Analytics e Data Science para compartilhar com vocês! Como resultado nasceu o Projeto Data Analytics to Data ...read more...(read more)

Entity Framework - Row / Column Based Security

0
0

Prepared by LC WAIKIKI IT Team (tayfun.esmer@lcwaikiki.com)  and Dr. Alp Asutay

1.    Introduction

The last few years have seen the rise of Entity Framework object-relational mapper. While getting more robust and improved with each version compared to previous ones, we have been introduced to interceptors starting with Entity Framework 6. Those interceptors allow us to intervene the queries executed against SQL, the result sets coming back from SQL and even the exceptions related to the executions. If you have decided to learn more about interceptors, you must have come across a few implementations on the internet like logging and soft delete concepts. But what we aim here is much more complex and advanced scenario which is going to serve for our security policies based on rows and columns of a table.

At the end of the day, Row Based Security will enable us to implement restrictions on data row access. For example ensuring that employees can access only the data pertinent to their department, or a group of accountants can access the orders only with less than $10.000 total price. Column Based Security on the other hand, will enable us to implement restrictions on columns. It's the data will be restricted again as Row Based Security, but the target is all data under specified columns.

2.    Solution & Implementation

We all know that limiting data means filtering it, which is done with the “where” keyword. So basically we will apply predicates to the set of entities when queried, at application tier and independently of developers. There are two interceptor levels for the queries before they go out the gate and get executed in SQL. One is DbCommandInterceptor, which is the SQL level and carries DbCommand object which is the very same object SqlCommand derives from. That is not the field we want to work on by altering the SQL command before it gets executed. The other one is DbCommandTreeInterceptor, which reveals itself from its name and makes it possible to work with expression trees and alter them with the help of visitor objects. That’s the path we will take to achieve our goal more elegantly.

So, first things first. We are going to create policy expressions holding the main data which defines the target for security policy to be applied: environment, server, database, table (entity), column, field (property of the entity) and even the values or the source of them. You can see the data model below.

By holding the environment information along with the server and database, we can apply different policies for a user on different environments such as test, prod, development etc. DbObject and DbObjectField tables are for the entity and its property. These policy securities can be associated with claims, claim groups and users specifically, and the information for that is held in AuthorizationRef and AuthorizationDefinitionRef fields in PolicySecurity table.

The journey of the code written for the implementation of this solution begins as the user steps in our application, which is the Session_Start event for web applications. There we query all the row and column based security policies associated with the incoming user with all the data needed, transform them into DataPolicyExpression objects and store them in distributed cache which happened to be Redis Cache for us.

 

Notice that the PropertyValueSource value is static with a value next to it which is 2 at this example. However, the source could be External meaning the data for the expression is going to be pulled from an object which implements the interface (IExternalPolicySecurityService) this solution exposes with a method returning Dictionary<string, string> typed value, holding the key for that external values and the actual values (probably a set of IDs of other tables) how and wherever they are coming from. So in that case instead of a static value, we hold that key name of that external source.

Once the concrete class implementing that interface is found on the web project, the method of it is invoked and all the data is returned for the security policy to be used most likely with "IN" operator instead of equal (=). That external value source option allows us to define policy with dynamic data which needs to be executed at runtime and involves other tables. Other than these two options, we can store our policies with internal value sources, which refers to endpoints of services. Instead of a concrete class implementing a specific interface, a web service can also be used for the same reason but different technical needs. As in the external value case, that service again will return a Dictionary<string,string> typed value. Again in our case this internal value source working with web services always served us set of IDs of other tables to be used along with the "IN" operator.

We have two separate interceptors for row based policies and column based policies.

These two interceptors are registered and waiting for any query to catch before it is executed in SQL Server.

At that point, when the TreeCreated event is triggered, we pull the data from the cache and see if the executing query holds any matching entity (table).

If so, the policy information stored in DataPolicyExpression object is used to build DbFilterExpression with dynamic filters, to be attached to the query.

Building that expression doesn’t happen for every query hit. Instead, when it is created for the first time, it’s stored in memory for the later hits for the same entity. That process could have done much earlier, like in the Session_Start event for every single user. But that could depend on the number of policies defined for each user, how complex the policies therefore the expression needs to be build are complex, and of course we cannot know for sure if the user is going to hit that table (entity) in that session at all. So the implementation may be different for some technical and performance purposes but at the end of the day with the help of the interceptors, we can apply new filters or replace the existing ones based on our policies.

 

3. Problems & Solutions

Of course we had some troubles making our code work during this implementation. Firstly, the order for the interceptors to work mattered in a case where a column which both column and row based policies are applied for. Because the data was replaced with the default value of that type empty string in our case-instead of the column name, again that default value was used in the where clause which caused the queries to have false conditions all the time. It looked something like this:

SELECT Foo1, Foo2, N’’

FROM tb_Table

WHERE N’’ = ‘UK’

Instead of WHERE Foo3 = ‘UK’, the column name was replaced by the default value which was put there due to a column based security for the user not having rights to see that specific column. We simply solved the problem by registering the interceptors in the right other.

Another problem we faced was the query cache mechanism of Entity Framework. The problem rise when an entity is queried more than once. When a value is set in a filter parameter, that value is cached and reused for the further queries. This happens because the interceptors we use implements IDbCommandTreeInterceptor and the execution of the TreeCreated method happens only once for the query commands, being cached after. Even for a new instance of DbContext won’t make any difference, we’ll be stucked with the cached values for the parameters. This situation might be a problem for almost any kind of interceptor works, unless it is using a hard coded value such as true/false for soft delete purpose implementations.

While there are a few different work arounds (using functions that produce queries with constants or using properties of a non-mapped objects and such) for this problem.

We decided to go with the IEnumerable<TEntity> collection wich is always remain empty.

Entity Framework does not cache queries that involves IEnumerable<T>.Contains<T>(T value) call against an in-memory collection, since the values of the collection are considered volatile.

That method (Contains) call can be executed in a wrapped DbSet object or at a point of base repository like object for it so no matter what entity the query comes for.

Entity Framework won’t replace it with the cached one.

Viewing all 29128 articles
Browse latest View live




Latest Images