Printable View
I'm designing an IIS/MTS/SQL7 application with some complex data access
security requirements. Would it make more sense to encode this in the
business logic layer or the data access layer?
Access is driven by business rules; but on the other hand, it might make
more sense to implement this deeper, in the data access layer.
Any thoughts?
I have some of the same concerns. It is one thing when you are dealing with
Internet vs an internal application. There is some previuos discussions
on this topic, which metions using the built in security in the MTS. This
to me makes since for Internet applications. In my case we want to use the
same Business logic and persistent objects for both internal and external
access. My concern is that internally, what is stopping someone else from
using a machine previously logged into the system(say overnight) and do as
you please but not have those rights.
In my case I pass the username and password to the Data objects when I fetch
the data. The username and password I get from having a login screen and
creating a CCurrentUser global object in the business logic.
This has been tested on my own system but not on the MTS(we haven't installed
yet).
Any responses I would be glad to hear because i'm also new this type of development
and there doesn't seem to be much documented when it comes to security issues
and databases.
Kurt
"Flacco" <Flacco001_REMOVE_@twilight-systems.com> wrote:
>
>I'm designing an IIS/MTS/SQL7 application with some complex data access
>security requirements. Would it make more sense to encode this in the
>business logic layer or the data access layer?
>
>Access is driven by business rules; but on the other hand, it might make
>more sense to implement this deeper, in the data access layer.
>
>Any thoughts?
>
>
>