Security Application Block in Enterprise Library provides a few advantages over the old application block. It looks like it will be a lot simpler to use. Notably, it no longer appears designed around Authorization Manager’s peculiarities. In fact, it comes with an authorization implementation that does not depend on Authorization Manager.

There are a few concepts to understand when using the Security Application Blocks:

  • Authentication
  • Authorization
  • Roles
  • Profiles

Every person or system that interacts with your application will claim to have some rights to perform certain actions. Authentication is the process of verifying that the person or system is truly the user they are claiming to be. Most systems authenticate users using a username and password combination.

After the user is authenticated, your application must determine what actions or operations the user is allowed to execute. This is called authorization and in Enterprise Library is role-based.

Roles are assigned to users to define how they will use the application. The authorization system can check the user’s assigned roles to determine what actions or operations the user is allowed to execute.

The Security Application Block also provides a facility for storing profile information for each user. A profile can consist of primitive values, serializable objects or a dictionary of primitive values and serializable objects.

One of the new things in the security block is a simple backend database to store user, role and profile information. This removes the dependency of having an Active Directory database and Authorization Manager installed. You can start from this simple database and then upgrade to AD an AzMan in production, if required.

One thing I could not find is the actual provider for Authenticating against Active Directory. It must be in there, right?