]]>

Minimum expected table schema for ADO Security Provider:

Represents an that uses Active Directory for its backend data store and credential authentication.

A Security Identifier can also be specified in IncludedResources instead of a role name in the format of 'SID:<Security Identifier>' (Example: SID:S-1-5-21-19610888-1443184010-1631745340-269783). Required config file entries:

]]>

Base class for a provider of role-based security in applications.

This examples shows how to extend to use a flat-file for the security data store:


            using System.Data;
            using System.IO;
            using GSF;
            using GSF.Data;
            using GSF.IO;
            using GSF.Security;
            
            namespace CustomSecurity
            {
                public class FlatFileSecurityProvider : SecurityProviderBase
                {
                    private const int LeastPrivilegedLevel = 5;
            
                    public FlatFileSecurityProvider(string username)
                        : base(username)
                    {
                    }
            
                    public override bool RefreshData()
                    {
                        // Check for a valid username.
                        if (string.IsNullOrEmpty(UserData.Username))
                            return false;
            
                        // Check if a file name is specified.
                        if (string.IsNullOrEmpty(ConnectionString))
                            return false;
            
                        // Check if file exist on file system.
                        string file = FilePath.GetAbsolutePath(ConnectionString);
                        if (!File.Exists(file))
                            return false;
            
                        // Read the data from the specified file.
                        DataTable data = File.ReadAllText(file).ToDataTable(",", true);
                        DataRow[] user = data.Select(string.Format("Username = '{0}'", UserData.Username));
                        if (user.Length > 0)
                        {
                            // User exists in the specified file.
                            UserData.IsDefined = true;
                            UserData.Password = user[0]["Password"].ToNonNullString();
            
                            for (int i = LeastPrivilegedLevel; i >= int.Parse(user[0]["Level"].ToNonNullString()); i--)
                            {
                                UserData.Roles.Add(i.ToString());
                            }
                        }
            
                        return true;
                    }
            
                    public override bool Authenticate(string password)
                    {
                        // Compare password hashes to authenticate.
                        return (UserData.Password == SecurityProviderUtility.EncryptPassword(password));
                    }
                }
            }

Config file entries that go along with the above example:

]]>

Defines a provider of role-based security in applications.

Authenticates the user.

Password to be used for authentication. true if the user is authenticated, otherwise false.

Refreshes the from the backend data store.

true if is refreshed, otherwise false.

Updates the in the backend data store.

true if is updated, otherwise false.

Resets user password in the backend data store.

Answer to the user's security question. true if the password is reset, otherwise false.

Changes user password in the backend data store.

User's current password. User's new password. true if the password is changed, otherwise false.

Performs a translation of the specified user .

The user role to be translated. The user role that the specified user translates to.

Gets or sets the name of the application being secured as defined in the backend security data store.

Gets or sets the connection string to be used for connection to the backend security data store.

Gets or sets the password as a .

Gets or sets as clear text password.

Gets the object containing information about the user.

Gets a boolean value that indicates whether operation is supported.

Gets an authentication failure reason, if set by the provider when authentication fails.

Gets or sets the to use for logging security events for the implementation.

Set to null to use default handler, i.e., .

Specifies the default value for the property.

Initializes a new instance of the security provider.

Name that uniquely identifies the user. true if the security provider can refresh from the backend data store, otherwise false. true if the security provider can update in the backend data store, otherwise false. true if the security provider can reset user password, otherwise false. true if the security provider can change user password, otherwise false.

Releases the unmanaged resources before the security provider is reclaimed by .

When overridden in a derived class, authenticates the user.

Password to be used for authentication. true if the user is authenticated, otherwise false.

When overridden in a derived class, refreshes the from the backend datastore.

true if is refreshed, otherwise false.

When overridden in a derived class, updates the in the backend datastore.

true if is updated, otherwise false.

When overridden in a derived class, resets user password in the backend datastore.

Answer to the user's security question. true if the password is reset, otherwise false.

When overridden in a derived class, changes user password in the backend datastore.

User's current password. User's new password. true if the password is changed, otherwise false.

Releases all the resources used by the security provider.

Initializes the security provider.

Saves security provider settings to the config file if the property is set to true.

has a value of null or empty string.

Loads saved security provider settings from the config file if the property is set to true.

has a value of null or empty string.

Performs a translation of the specified user .

The user role to be translated. The user role that the specified user translates to.

Releases the unmanaged resources used by the security provider and optionally releases the managed resources.

true to release both managed and unmanaged resources; false to release only unmanaged resources.

Occurs when the class has been disposed.

Gets or sets the name of the application being secured as defined in the backend security datastore.

Gets or sets the connection string to be used for connection to the backend security datastore.

Gets or sets the password as a .

Gets or sets as clear text password.

Gets or sets the to use for logging security events for the implementation.

Set to null to use default handler, i.e., .

Gets or sets a boolean value that indicates whether security provider settings are to be saved to the config file.

Gets or sets the category under which security provider settings are to be saved to the config file if the property is set to true.

The value being assigned is a null or empty string.

Gets or sets a boolean value that indicates whether the security provider is currently enabled.

Gets the object containing information about the user.

Gets a boolean value that indicates whether operation is supported.

Geta a boolean value that indicates whether operation is supported.

Gets a boolean value that indicates whether operation is supported.

Gets or allows derived classes to set an authentication failure reason.

Gets current intialization state.

Defines the provider ID for the .

Specifies the default value for the property.

Initializes a new instance of the class.

Name that uniquely identifies the user.

Initializes a new instance of the class.

Updates the in the backend data store.

true if is updated, otherwise false. Always

Resets user password in the backend data store.

Answer to the user's security question. true if the password is reset, otherwise false. Always

Saves settings to the config file if the property is set to true.

Loads saved settings from the config file if the property is set to true.

Authenticates the user.

Password to be used for authentication. true if the user is authenticated, otherwise false.

Refreshes the from the backend data store.

true if is refreshed, otherwise false.

Refreshes the from the backend data store loading user groups into desired collection.

Target collection for user groups. Unique provider ID used to distinguish cached user data that may be different based on provider. true if is refreshed, otherwise false.

Changes user password in the backend data store.

User's current password. User's new password. true if the password is changed, otherwise false. This method always returns false under Mono deployments.

Performs a translation of the specified user .

The user role to be translated. The user role that the specified user translates to.

Gets the LDAP path.

The LDAP path.

Gets or sets a boolean value that indicates whether user information is to be cached for offline authentication.

Gets or sets the wait interval (in milliseconds) before retrying load of offline user data cache.

Gets or sets the maximum retry attempts allowed for loading offline user data cache.

Gets the original of the user if the user exists in Active Directory.

Default regular expression used to validate new database user passwords.

Default error message displayed when databases users fail regular expression test.

Defines the provider ID for the .

Initializes a new instance of the class.

Name that uniquely identifies the user.

Initializes a new instance of the class.

Loads saved security provider settings from the config file if the property is set to true.

has a value of null or empty string.

Refreshes the .

true if is refreshed, otherwise false.

Authenticates the user.

Password to be used for authentication. true if the user is authenticated, otherwise false.

Changes user password in the backend data store.

User's current password. User's new password. true if the password is changed, otherwise false. does not meet password requirements.

Logs user authentication attempt.

true if user authentication was successful, otherwise false. true if logging was successful, otherwise false.

Logs information about an encountered exception to the backend data store.

Source of the exception. Detailed description of the exception. true if logging was successful, otherwise false.

Gets the LDAP path.

The LDAP path.

Extracts the current security context from the database.

Existing database connection used to extract security context. A new containing the latest security context.

Gets a boolean value that indicates whether operation is supported.

Gets last exception reported by the .

Represents a secured inter-process cache for the security context needed by the .

This is a system cache that contains the last known security information loaded from the database related to users, roles and groups. This cache allows the to start-up without database access using latest cached security context. Even though this cache contains role information for all users, it does not overlap information in the since the user role cache contains role assignments for a user at last login and is used for auditing.

Creates a new instance of the with the specified number of .

Maximum concurrent reader locks to allow.

Initiates inter-process synchronized save of .

Handles serialization of file to disk; virtual method allows customization (e.g., pre-save encryption and/or data merge).

used to serialize data. File data to be serialized. Consumers overriding this method should not directly call property to avoid potential dead-locks.

Handles deserialization of file from disk; virtual method allows customization (e.g., pre-load decryption and/or data merge).

used to deserialize data. Deserialized file data. Consumers overriding this method should not directly call property to avoid potential dead-locks.

Loads the for the current local user.

Loaded instance of the .

Gets or sets the internal ; returned value will be a copy of the internal.

Represents a secured inter-process cache for a of serialized user role information.

This is a system cache that contains the role assignments for each user that has logged in successfully. This cache is used to check for changes in role assignments for a user - that is, a role change in the database that may now be different than what is in the current cache. Any kind of role changes are logged as security events in the Windows event log for auditing. Note that this is kept as a separate cache from the since the user role cache is used for auditing and contains information relative to a user's roles at last login.

Creates a new instance of the with the specified number of .

Maximum concurrent reader locks to allow.

Attempts to retrieve access role for given .

User name associated with access role to retrieve. Access roles to populate if found. true if access roles for given were retrieved; otherwise false.

Serializes the for the given into the .

User name associated with access role to retrieve. Access roles to update or populate. This will add an entry into the user roles cache for if it doesn't exist; otherwise existing entry will be updated. Updates are automatically queued up for serialization so user does not need to call .

Merge user roles from another , local cache taking precedence.

Other to merge with.

Merge user roles from another , other cache taking precedence.

Other to merge with.

Initiates inter-process synchronized save of user role cache.

Handles serialization of file to disk; virtual method allows customization (e.g., pre-save encryption and/or data merge).

used to serialize data. File data to be serialized. Consumers overriding this method should not directly call property to avoid potential dead-locks.

Handles deserialization of file from disk; virtual method allows customization (e.g., pre-load decryption and/or data merge).

used to deserialize data. Deserialized file data. Consumers overriding this method should not directly call property to avoid potential dead-locks.

Calculates the hash of the used as the key for the user roles dictionary.

User name to hash. The Base64 encoded calculated SHA-2 hash of the used as the key for the user roles dictionary. For added security, a hash of the is used as the key for accessing roles in the user roles cache instead of the actual . This method allows the consumer to properly calculate this hash when directly using the user data cache.

Loads the for the current local user.

Loaded instance of the .

Gets a copy of the internal user role dictionary.

Gets or sets access roles for given .

User name for associated access role to load or save. Access roles for given if found; otherwise null.

Represents an that can be used restrict access to a class when using role-based security.

Initializes a new instance of the class.

List of either roles the current thread principal must have in order to have access.

Checks if the current thread principal has at least one of the in order to have access.

true if the current thread principal has access, otherwise false.

Gets or sets the list of either roles the current thread principal must have in order to have access.

Defines the function signature delegate used for logging events from the .

The source by which the application is registered on the specified computer. The string to write to the event log. One of the values. The application-specific identifier for the event.

Contains fundamental classes that define the security framework for role-based security.

A class that implements interface to facilitate custom role-based security.

Initializes a new instance of the class.

An of the user. Value specified for is null.

Gets the type of authentication used to identify the user.

Gets a boolean value that indicates whether the user has been authenticated.

Gets the user's login name.

Gets the of the user.

A class that implements interface to facilitate custom role-based security.

Initializes a new instance of the class.

An object. Value specified for is null.

Determines whether the user is a member of either of the specified .

Comma seperated list of roles to check. true if the user is a member of either of the specified , otherwise false.

Gets the object of the user.

A helper class that manages the caching of s.

Number of minutes up to which s are to be cached.

Attempts to get cached for the given username.

Name of the user. Security provider to return. True if provider is cached; false otherwise.

Attempts to reauthenticate the current thread principal after their provider has been removed from the cache.

True if the user successfully reauthenticated; false otherwise.

Gets or sets the of the current user.

A class that facilitates the caching of .

Initializes a new instance of the class.

Gets the managed by this .

Gets the of when the was created.

A helper class containing methods used in the implementation of role-based security.

Creates a new based on the settings in the config file.

Username of the user for whom the is to be created. An object that implements .

Determines if the specified is to be secured based on settings in the config file.

Name of the resource to be checked. true if the is to be secured; otherwise false/

Determines if the current user, as defined by the , has permission to access the specified based on settings in the config file.

Name of the resource to be checked. true if the current user has permission to access the ; otherwise false.

Determines if the specified matches the specified .

Spec string that can include wildcards ('*'). For example, *.txt Target string to be compared with the . true if the matches the , otherwise false.

Encrypts the password to a one-way hash using the SHA1 hash algorithm.

Password to be encrypted. Encrypted password.

Generates a random password of the specified with at least one uppercase letter, one lowercase letter, one special character and one digit.

Length of the password to generate. Randomly generated password of the specified . A value of less than 8 is specified for the .

Sends email notification message to the specified using settings specified in the config file.

Email address of the notification recipient. Subject of the notification. Content of the notification.

A serializable class that contains information about a user defined in the security data store.

Initializes a new instance of the class.

User's logon name.

Initializes a new instance of the class by copying an existing instance.

The existing instance of the class.

Initializes this object.

Copies a new instance of the class by copying an existing instance.

The existing instance of the class.

Gets the user's login ID.

Gets the user's login name.

Gets the user's password.

This field is only used to store hashed user passwords which are stored in the database.

Gets the user's first name.

Gets the user's last name.

Gets the user's company name.

Gets the user's phone number.

Gets the user's email address.

Gets the user's security question.

Gets the user's security answer.

Gets the UTC date and time when user must change the password.

Gets the UTC date and time when user account was created.

Gets a boolean value that indicates whether the user is defined in the backend security data store.

Gets a boolean value that indicates whether the user is defined as an external user in the backend security data store.

Gets a boolean value that indicates whether the user account has been disabled.

Gets a boolean value that indicates whether the user account has been locked due to numerous unsuccessful login attempts.

Gets a boolean value indicating whether or not the user has been authenticated.

Gets a read-only list of all the groups the user belongs to.

Gets a read-only list of all the roles assigned to the user.

Represents a secured inter-process cache for a of serialized .

This is a personal user data cache that only contains basic LDAP information for the user. It is used to load the local and Active Directory groups a user is associated with when the user no longer has access to its domain server. This can happen when a laptop that is normally connected to the Active Directory domain gets shutdown then restarted without access to the domain, for example, on an airplane - in this mode the user can successfully still login to the laptop to their using domain account cached by Windows but the groups the user is in will no longer be accessible. If role based security happens to be based on Active Directory groups, this cache will make sure the user can still have needed role based access even when the domain is unavailable. This cache is maintained as a separate user cache from the system level since the user data cache only contains group information and is used by the which can be used independently of the .

Creates a new instance of the .

Unique provider ID used to distinguish cached user data that may be different based on provider.

Creates a new instance of the with the specified number of .

Maximum concurrent reader locks to allow. Unique provider ID used to distinguish cached user data that may be different based on provider.

Attempts to retrieve for given .

Login ID of associated to retrieve. Reference to object to populate if found. true if for given was retrieved; otherwise false.

Serializes the for the given into the .

Login ID of associated to retrieve. Reference to object to serialize into . This will add an entry into the user data cache for if it doesn't exist; otherwise existing entry will be updated. Updates are automatically queued up for serialization so user does not need to call .

Initiates inter-process synchronized save of user data cache.

Handles serialization of file to disk; virtual method allows customization (e.g., pre-save encryption and/or data merge).

used to serialize data. File data to be serialized. Consumers overriding this method should not directly call property to avoid potential dead-locks.

Handles deserialization of file from disk; virtual method allows customization (e.g., pre-load decryption and/or data merge).

used to deserialize data. Deserialized file data. Consumers overriding this method should not directly call property to avoid potential dead-locks.

Calculates the hash of the used as the key for the user data cache.

Login ID to hash. The Base64 encoded calculated SHA-2 hash of the used as the key for the user data cache. For added security, a hash of the is used as the key for in the user data cache instead of the actual . This method allows the consumer to properly calculate this hash when directly using the user data cache.

Loads the for the current local user.

Unique security provider ID used to distinguish cached user data that may be different based on provider. Loaded instance of the .

Gets or sets for given .

Gets or sets unique provider ID used to distinguish cached user data that may be different based on provider.