Make a Method of the Business Layer secure. best practice / best pattern [.net/c#]
- by gsharp
Hi
We are using ASP.NET with a lot of AJAX "Page Method" calls.
The WebServices defined in the Page invokes methods from our BusinessLayer.
To prevent hackers to call the Page Methods, we want to implement some security in the BusinessLayer.
We are struggling with two different issues.
First one:
public List<Employees> GetAllEmployees()
{
// do stuff
}
This Method should be called by Authorized Users with the Role "HR".
Second one:
public Order GetMyOrder(int orderId)
{
// do sutff
}
This Method should only be called by the owner of the Order.
I know it's easy to implement the security for each method like:
public List<Employees> GetAllEmployees()
{
// check if the user is in Role HR
}
or
public Order GetMyOrder(int orderId)
{
// check if the order.Owner = user
}
What I'm looking for is some pattern/best practice to implement this kind of security in a generic way (without coding the the if then else every time)
I hope you get what i mean :-)
Thanks for you help.