Copy and Paste Monster
by Hans on 2009/10/06 13:56
in Categories: General

This post is as a result of spending and wasting many hours trying to understand why user authorization was not working in an ASP.NET web site.

Let me set the scene. We have a VS2008 website that is to be deployed to IIS7 as an intranet web application. The website uses Integrated Windows Security for authentication and Active Directory security groups for authorization. Users are restricted to resources within the web site based on the AD security groups they are assigned to.

The problem. The AD security groups have been defined and the developer has received an email from the ops team with the names of the AD security groups. The developer who has already implemented the code now copies and pastes the AD security group names from the email into web.config and web.sitemap and other code using Page.User.IsInRole(“somegroup”).

This is where the fun starts. Nothing seems to work and the piece of code above always returns false. A call is made to the ops team enquiring as to where or not the AD security groups have in fact been created and have the test AD user accounts been assigned to the appropriate groups. All is confirmed telephonically. Google is now consulted and many code changes are introduced.Still nothing seems to work the general mood is very somber and tempers are being tested. A developer gets up and goes to see the ops team to confirm for himself that the relevant AD groups and assignments have been done. A visual confirmation has been done and all seems fine. More hours are spent trying to fix the problem. The problem persists and the developer starts contemplating whether “moving to the light” would be easier than continuing.

Help is received from an experienced external developer and consultant (myself) in the way of a few words I quote myself “Check the AD group name it may have some garbage characters in it” and hence the solution and the light shone once more and sanity prevailed.

At face value the name of the AD group seems normal “shr – some group name – gs” and nothing untoward is detected. However a quick view of this using UltraEdit reveals the following:


Copy and Paste Monster


As can be seen from the image above what seemingly is a hyphen is in fact a Hex 96 and when you pass that string to Page.User.IsInRole you will get false all the time.

Standards.So this brings us to the next point and that is how to avoid the above. The solution I adopt and try to empress upon my clients is to introduce a naming convention for AD security groups and include this into the companies development coding and other standards documents. The naming convention I propose in its simplest form states that only alpha numeric characters should be used. No spaces and definitely no special characters. Camel or Pascal casing can be used I prefer Pascal case.Those of you who are tasked with Quality Assurance and so forth will recognize the need for standards.

Examples.

SalesStaff
ExecutiveTeam
Slaves

I suspect that in larger enterprise environments my convention may be frowned upon and considered inadequate. To all those infrastructure architects and network guru’s out there let’s keep the root cause of the above problem in mind least of all the cost of the wasted hours and tarnished images. I have read many documents that define suffixes and prefixes for various reasons and here are a few examples, I will not discuss the meaning of these as this is an entirely different discussion:

ls - domain local security
gs - global security
us - universal security
ld - domain local distribution
gd - global distribution
ud - universal distribution

In the above case users are encouraged to use hyphens to separate descriptive types and names. Well you make up your own mind and use with care. A little more advice “Beware the copy and paste monster” it bites.

I sincerely hope this will be of some value to someone out there.

Happy hacking and greetings from the Saxon team.

Post a Comment

Your Name:*  OR Screen Name:
Email Address:*
Comment:*
Post your Comment

    Note. All comments are sent to a moderator for approval prior to appearing on this page.

    © 2012 Saxon Systems. All rights reserved.Terms of Use  Privacy Policy  Contacts