Wednesday, August 20, 2008

Authentication & Authorization

Use AD for authentication and DB for authorization

I'm trying to reason out the above statement with best of my knowledge, this may be specific to windows environment. Do leave your thoughts if you know of better reasons.

A company intranet website application can be open to entire domain users and hence don't need any authentication at all. But we may need to restrict access to a phone list application to certain groups, this application may include additional authorization restrictions like certain group of users should not be able to view some section of data say for example "personal mobile numbers". Best approach is to authenticate all users with a AD group and use different authorization data store like a database.

Can we not use db for authentication, like use "authorization data store" and check if user is not authorized to do any steps in the application and redirect to access denied page? Though its a technically possible option, in this case, control on who gets access to phone list application is thro' db. Everyone will agree, access to that is weaker compared to a secure AD group membership which are restricted to AD administrators hands. Inherently. access to application db has wider spread, compared to AD. Also AD authentication blocks unauthorized users at the gate i.e stopped even before entering into application.

In other end of spectrum, why we should not use AD for authorization. For simplicity sake, if we have 3 authorization groups for each application and we have 10 applications and toss in 2 environments (dev/prod), we end up with 60 AD groups. Its work on AD admins that in course of time will become un-manageable, worst-case scenario, someone getting access which they shouldn't.

That said, there is room for all shades of grey, for example any enterprise has to maintain AD groups for something or other, like share folder access. Using the same phone list application, if there is a requirement to restrict users from viewing sr. mgmt contacts. I'd rather make that authorization against AD than have it inside my application db.

Saturday, August 02, 2008

BBC - The Story of India

Six part BBC series which attempts to cover the story of India from past to current. I felt they mostly covered Aryan part, shadowing Dravidian side of history.

Friday, August 01, 2008

leanerFox

Off late i was frustrated with Firefox eating so much memory. Its far better from what used to be back.
  • Upgraded to latest and greatest version which has many memory leak fixes
  • Installed flashblock extension
  • Modded following config entries
browser.cache.disk.capacity 15000
browser.cache.memory.capacity -1
browser.sessionhistory.max_total_viewers 2 {seldom use back button}
config.trim_on_minimize true {would love if there is a similar thing for lost focus event}
nglayout.initialpaint.delay 0
network.http.pipelining true
network.http.pipelining.maxrequests 8 {for DSL speed}

I have the same problem with Yahoo messenger, felt it became more and more resource hog. I don't want a browser window to open all times for the web version (why can't they provide the msg archive on web to standalone version also}. After googling a bit, did the following, but i still see sometimes it gobbles 30k,
  • switched to classic skin
  • removed all plug-ins
  • remove annoying ad-banner {this patch worked for version 8.1.0.421}