Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles
(untagged)

A Secure Role-based Windows Form

0.00/5 (No votes)
30 Sep 2009 2  
This article describes how to implement Role-based Windows Form security. The solution includes a SecureBaseForm which allows/denies access to an inheriting Form and may fire the UserIsAllowed or UserIsDenied events.

SecureBaseForm.jpg

Introduction

This Role-based secure base form allows you to implement security on Windows Forms without the necessity to rewrite the basic security handling for each form within your application or project.

Background

As I was in need to restrict access to several forms or to several parts of forms, I was searching for a base form which could deliver this functionality. However, the ones that I came across where limited in their functionality, and therefore I had to look at other ways to achieve this goal. First, I set-up the basic requirements that were needed within this base form:

  1. The base form should not conflict when used in design mode (although basic, there are some issues that need to be considered).
  2. The base form should take the required roles for the form and the user principal (IPrincipal) as parameters in order to validate the access to the form.
  3. The base form should:
    1. Open the form when one of the User-roles is in the Form roles.
    2. Not open the form when none of the User-roles is in the Form roles.
    3. Allow to raise an event when the user is allowed.
    4. Allow to raise an event when the user is denied (this overtakes the second option as the form, in this case, needs to be opened).
  4. Give a validated list of roles that are within the User-Roles and the Form-Roles.

In search for the correct approach

During the search over the internet, I came across this article: Simplified implementation without title, which forms the basic idea for this implementation. However, although simplified, this person describes the approach to take correctly, whereby my interest to use the same skeleton. When testing this approach, I came across one issue: when the form is initialized from the Main method (program.cs), the "Show" or "ShowDialog" methods are not called and will need another means of initialization. Luckily, I came across this article explaining how to approach the issue: Application Architecture in Windows Forms 2.0. The flaw that I cam across with this approach is that it will silently run within the background when the main window is never made visible, but it is a start.

[STAThread]   
static void Main() 
{
    ...
    // Create and show the main form modelessly
    MainForm form = new MainForm(); 
    form.Show();

    // Run the application only when the Form has been created.
    if( form.Created )
        Application.Run();
}

Using the code

Creating the form based on the SecureBaseForm and implementing the security parameters:

public class Form1 : SecureBaseForm
{
    public void Form1(IPrincipal userPrincipal) : 
        base( new string[] { "UserRole1", "UserRole2" }, userPrincipal )
    {
        //
        //    Capture the principal here in case it is needed in a second Form
        //
        InitializeComponents();
    }
}

In the above example, the form user will be allowed when within the user principal either "UserRole1" or the "UserRole2" role is contained. With this example, we can also show the implementation when the user has access to the form, but you want to disable certain features based on one of the roles:

//
// Form1 has the event handling "Form1_UserIsAllowed" defined
//
private void Form1_UserIsAllowed(object sender, EventArgs e)
{
    button1.Enabled = this.ValidatedUserRoles.Contains("UserRole1");
    button2.Enabled = this.ValidatedUserRoles.Contains("UserRole3");
}

Whether the user has the role "UserRole1" or "UserRole2" defined, the appropriate button(s) will be enabled. This same event handling is embedded for "UserIsDenied".

Points of interest

I never was so pleased with implementing security as there will always be weak spots and you have to follow the various forums and alike to keep uptodate. Nevertheless, I think this is a nice approach which will allow my future applications to have a hurdle less.

May you want to comment, please do so...

History

  • Version 1.00 (30 September, 2009) - Hopefully, something can be done on UserControls as well (keep your eyes open).

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here