Design Patterns for security and data access control

Having recently discovered design patterns, and having acquired the excellent Head First Design Patterns book (can really recommend it!), I am now wondering about de开发者_如何学编程sign patterns for security and controlling access to records in data stores.

My use case is a bespoke CRM style application, with contacts, businesses, and users who have different levels of access, including being limited to read only access, or even a subset of records. I will only be doing distinct entity level access control, not field level.

Can anyone recommend any security orientated design patterns that would fit the above?

If it makes a difference, I am using ASP.Net MVC, Entity Framework 4 and SQL Server 2008.

---

Security is what we call Cross-cutting concern and it's never easy deal with.

If you need to deal with the security from ASP.NET MVC level you would consider to look at MVC tutorial :

http://www.asp.net/learn/mvc/

If you want to know more about the security from the domain model level, an interesting question was already asked :

DDD User Security Policies

Hope this helps

---

There does exists a group of patterns realted to security, though most of them fucuses on securing integrated systems. I have found no book that is as well written and usable as GOF/Head-first, though I did enjoy the one online at www.securitypatterns.org.

Security is as much about architecture (sever setup, network topology...) as its about programing, so I would recommend that you start out with a general security book. Also pick up a book specifically on .NET/Windows security, since robust security programming is very technology specific (I, as UNIX/Java programmer, will have a completly different toolbox than a .NET programmer and can unfortunatly not help you with a book on this last subject).

---

A good place to start on security (although not necessarily a "security design patterns" book) is Ross Anderson's Security Engineering.