https://stackoverflow.com/questions/18877482
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianIn an n-tier application, no matter the technology (C#, java...), you probably want to externalize authorization altogether to a different service as you mention yourself. There is a standard that does that called XACML (eXtensible Access Control Markup Language). It gives you
- an architecture
- a policy language
- a request/response scheme
With XACML, you can apply fine-grained authorization (i.e. authorization that takes into account the user, the resource, and additional context metadata) to all your app's layers: the presentation layer (to show/hide or enable/disable widgets), the web tier (to control access to web apps, urls, web services, APIs), the business tier, and even the database tier itself. I call that the anywhere architecture.
The benefit of XACML is that it's not specific to your .NET environment. This means you can leverage it in other environments.
I actually presented that topic last week at a Java developer conference. You can check out my presentation on SlideShare.
HTH
