Ayende @ Rahien

It's a girl

System Users and Application Users

This is a question that comes up relatively often in the RavenDB mailing list. How do I handle multiple users with RavenDB? Does it support multiple users? Does it supports the Membership Provider?

Those questions usually confuse a very key concept regarding users. Whose users are they?

In particular, we need to make a distinction between System Users and Application Users. Despite using the same term for both, there is actually very little connection between the two.

Here is an example of a System User:

<connectionStrings>
    <add name="RavenDB" connectionString="Url=http://scotty.ravendb.net;user=beam;password=up"/>
</connectionStrings>

As you can probably surmise, this is a connection string, and the user is ‘beam’. This user is a System User, if you call the Ops Team and ask them why the password expired, they can help you there.

This is a system user, it controls access to external resources, and usually you have very few of those. Usually they control things like what parts of the disk you can write to, what databases you can connect to, etc. For the most part, they aren’t in your control, you don’t manage them and neither does you application

In contrast to that, here is a great example of an Application User:

image

An Application User is unique to its application. It is usually manifested as a document (or a database row) and doesn’t have any existence beyond that. If you called the Twitter Team Ops and told them that the RavenDB account password need resetting, they would be pissed that you are wasting their time.

This distinction is important, because it implies a lot about how we use those two different types of users.

System Users are used… well, for the system. Application Users are the actual users using the system. Very rarely are they one and the same. Usually our application use service accounts, and any security checks for what an Application User can do are implemented as part of the business logic, not by setting ACLs.

Don’t confuse the two, despite the common name.

And coming back all the way to the original question. RavenDB comes with the notion of System Users via Windows Auth and OAuth, and it helps with Application Users using the Authorization Bundle. But you really don’t want to use the membership API, regardless of the underlying storage.

Comments

Daniel Lang
10/18/2011 10:58 AM by
Daniel Lang

Ayende, what is the problem with the membership API?

I find it quite useful to implement at least a few methods of both providers, so that the Authorize attribute works on controllers and actions.

Ayende Rahien
10/18/2011 11:05 AM by
Ayende Rahien

Daniel, It is a huge API, it makes a lot of assumptions and it is really not nice to work with in terms of what it gives you and what you have to implement

Andrew Rimmer
10/18/2011 11:08 AM by
Andrew Rimmer

The membership API is pretty awful. The cons really do outweigh the pros...

Daniel - you can just implement IPrincipal to get the out-of-the-box Authorize attribute to work.

I usually do this and use forms authentication vs using the membership provider.

Daniel Lang
10/18/2011 11:17 AM by
Daniel Lang

Ayende and Andrew, thanks, I see your point. I will take a look at implementing IPrincipal instead or writing a custom authorization filter.

Justin Adler
10/18/2011 10:50 PM by
Justin Adler

@Daniel Lang - keep well away from the evil Membership API. Ayende and Andrew summed it up nicely.

In fact, when I get a chance, I'll try and complete my facebook integration/authorization into RavenOverflow so you can see how you can have application users in an application, easily and without having to have passwords also. watch this space (in a week or so).

Scott Scowden
10/23/2011 07:25 PM by
Scott Scowden

Justin, I am looking forward to your sample.

Are there any other good samples out there of integrating IPrincipal with MVC?

Adrian Lanning
10/30/2011 05:11 PM by
Adrian Lanning

One of the little-known benefits of the MembershipAPI is that there is a very thorough administration section available for it up on codeplex: http://mywsat.codeplex.com/

Hunzonian, the author, really outdid himself putting that together and it has saved me a lot of time over the years. I have used it in a production MVC site since 2008.

Recently I needed an admin section for an MVC site that uses Mongo so I made a port (the MyWSAT project is heavily tied to SQL Server - see project page for details): http://www.nuget.org/List/Packages/MongoWSAT

It should be fairly straightforward to make a RavenDB version. If anyone wants to attempt it and would like pointers, hit me up via nuget or github.

Comments have been closed on this topic.