'Need more input, Stephanie!'

by Michael S. Kaplan, published on 2005/07/05 12:35 -04:00, original URI: http://blogs.msdn.com/b/michkap/archive/2005/07/05/435709.aspx


Since these immortal words were spoken by the voice of Tim Blaney to Ally Sheedy, I think every one of us has at times felt like the industrious Number 5 who would read the encyclopedias and dictionaries if only you could point at the information, at the input.

I have talked about the New String Recommendations doc that Dave Fetterman reported on (full paper here). It inspires the same feeling in me, and in other people. More input is needed to make the choices about what methods to call, and under what circumstances. In the present form, there is too much that is unknown.

Now I did make the bold and somewhat audacious claim that you can summarize with use appropriate comparison methods and leave it at that. Now I will backpedal a little and show an example of when that can be difficult....

Let's take the seemingly simple (hah!) case of authentication in SQL Server. There are for our purposes usually three basic scenarios:

There are other slight variations that can happen when other providers get involved in the OS security story. But let's leave those aside for the moment -- you can keep them in mind if these three alone do not scare you off. :-)

Anyway, given all of the above, how difficult do you think it would be to come up with a mechanism to emulate the authentication behavior of a SQL Server, for the purpose of providing a deny/grant mechanism for a database resource?

Pretty fiendishly difficult, I would say.

In all honesty, your best bet would be to always pass through to the server and let it decide who is authenticated. Not that navigating the above is impossible, but it is difficult to the point of being improbable, or at least impractial. Unless you are paid by the hour and are not required to show significant progress....

 

This post brought to you by "ƹ" (U+01b9, LATIN SMALL LETTER EZH REVERSED)


# Yaytay on 5 Jul 2005 1:29 PM:

You should always pass it through to the server anyway - the sysadmin is in charge of security policy decisions, not the developer.
And the sysadmin should only have to express those policy decisions using system supplied features.

'All' the developer has to do is to ensure that their system enables the sysadmin to specify policies (and sets up appropriate DACLs within itself to ensure that such policies are honoured).

# Michael S. Kaplan on 5 Jul 2005 1:38 PM:

No disagreement from me, Yaytay. But the deny/grant stuff is a feature that exists, and it is in the hands of developers to use in code, for better or worse....

referenced by

2007/09/05 Head checks containing either comparison or case validation BITE

2005/12/22 New in Windows Vista: OrdinalIgnoreCase for Win32

2005/10/05 AD, and a little KB confusion

go to newer or older post, or back to index or month or day