Introduction
This Role-based secure base form allows you to implement security on Windows Forms without the necessity to rewrite the basic security handling for each form within your application or project.
Background
As I was in need to restrict access to several forms or to several parts of forms, I was searching for a base form which could deliver this functionality. However, the ones that I came across where limited in their functionality, and therefore I had to look at other ways to achieve this goal. First, I set-up the basic requirements that were needed within this base form:
- The base form should not conflict when used in design mode (although basic, there are some issues that need to be considered).
- The base form should take the required roles for the form and the user principal (
IPrincipal) as parameters in order to validate the access to the form.
- The base form should:
- Open the form when one of the User-roles is in the Form roles.
- Not open the form when none of the User-roles is in the Form roles.
- Allow to raise an event when the user is allowed.
- Allow to raise an event when the user is denied (this overtakes the second option as the form, in this case, needs to be opened).
- Give a validated list of roles that are within the User-Roles and the Form-Roles.
In search for the correct approach
During the search over the internet, I came across this article: Simplified implementation without title, which forms the basic idea for this implementation. However, although simplified, this person describes the approach to take correctly, whereby my interest to use the same skeleton. When testing this approach, I came across one issue: when the form is initialized from the Main method (program.cs), the "Show" or "ShowDialog" methods are not called and will need another means of initialization. Luckily, I came across this article explaining how to approach the issue: Application Architecture in Windows Forms 2.0. The flaw that I cam across with this approach is that it will silently run within the background when the main window is never made visible, but it is a start.
[STAThread]
static void Main()
{
...
MainForm form = new MainForm();
form.Show();
if( form.Created )
Application.Run();
}
Using the code
Creating the form based on the SecureBaseForm and implementing the security parameters:
public class Form1 : SecureBaseForm
{
public void Form1(IPrincipal userPrincipal) :
base( new string[] { "UserRole1", "UserRole2" }, userPrincipal )
{
InitializeComponents();
}
}
In the above example, the form user will be allowed when within the user principal either "UserRole1" or the "UserRole2" role is contained. With this example, we can also show the implementation when the user has access to the form, but you want to disable certain features based on one of the roles:
private void Form1_UserIsAllowed(object sender, EventArgs e)
{
button1.Enabled = this.ValidatedUserRoles.Contains("UserRole1");
button2.Enabled = this.ValidatedUserRoles.Contains("UserRole3");
}
Whether the user has the role "UserRole1" or "UserRole2" defined, the appropriate button(s) will be enabled. This same event handling is embedded for "UserIsDenied".
Points of interest
I never was so pleased with implementing security as there will always be weak spots and you have to follow the various forums and alike to keep uptodate. Nevertheless, I think this is a nice approach which will allow my future applications to have a hurdle less.
May you want to comment, please do so...
History
- Version 1.00 (30 September, 2009) - Hopefully, something can be done on UserControls as well (keep your eyes open).
