Hi,
Let's try create design for most common internet web site (ASP.NET application WEB FORMS)
First of all, try to whiteboard your architecture in most simple way in order to have base to working on with.
Crosscutting Concerns
Crosscutting concerns are the features of your design that may apply across all layers,
components, and tiers. These are also the areas in which high-impact design mistakes
are most often made. Examples of crosscutting concerns are:
Authentication and Authorization.
How you choose appropriate authentication
and authorization strategies, flow identity across layers and tiers, and store user
identities.
Caching.
How you choose an appropriate caching technology, determine what
data to cache, where to cache the data, and a suitable expiration policy.
Communication. How you choose appropriate protocols for communication
across layers and tiers, design loose coupling across layers, perform asynchronous
communication, and pass sensitive data.
Configuration Management. How you determine what information must be
configurable, where and how to store configuration information, how to protect
sensitive configuration information, and how to handle configuration information
in a farm or cluster.
Exception Management. How you handle and log exceptions, and provide
notification when required.
Logging and Instrumentation. How you determine which information to log, how
to make the logging configurable, and determine what level of instrumentation is
required.
Validation. How you determine where and how to perform validation; the techniques
you choose for validating on length, range, format, and type; how you
constrain and reject input invalid values; how you sanitize potentially malicious
or dangerous input; and how you can define and reuse validation logic across
your application’s layers and tiers.
Designing for Issue Mitigation
By analyzing quality attributes and crosscutting concerns in relation to your design
requirements, you can focus on specific areas of concern. For example, the quality
attribute Security is obviously a vital factor in your design, and applies at many
levels and areas of the architecture. The relevant crosscutting concerns for security
provide guidance on specific areas where you should focus your attention. You can
use the individual crosscutting categories to divide your application architecture for
further analysis, and to help you identify application vulnerabilities. This approach
leads to a design that optimizes security aspects.
Auditing and Logging. Who did what and when? Is the application operating
normally? Auditing refers to how your application records security-related
events. Logging refers to how your application publishes information about its
operation.
Authentication. Who are you? Authentication is the process where one entity
definitively establishes the identity of another entity, typically with credentials
such as a username and password.
Authorization. What can you do? Authorization refers to how your application
controls access to resources and operations.
Configuration Management. What context does your application run under?
Which databases does it connect to? How is your application administered?
How are these settings protected? Configuration management refers to how
your application handles these operations and issues.
Cryptography. How are you handling secrets (confidentiality)? How are you
tamper-proofing your data or libraries (integrity)? How are seeding random
values that must be cryptographically strong? Cryptography refers to how
your application enforces confidentiality and integrity.
Exception Management. When a method call in your application fails, what
does your application do? How much information does it reveal? Does it return
friendly error messages to end users? Does it pass valuable exception information
back to the calling code? Does it fail gracefully? Does it help administrators
to perform root cause analysis of the fault? Exception management refers to how
you handle exceptions within your application.
Input and Data Validation. How do you know that the input your application
receives is valid and safe? Does it constrain input through entry points and
encode output through exit points. Can it trust data sources such as databases
and file shares? Input validation refers to how your application filters, scrubs,
or rejects input before additional processing.
Sensitive data. How does your application handle sensitive data? Does it protect
confidential user and application data? Sensitive data refers to how your application
handles any data that must be protected either in memory, over the network,
or in persistent stores.
Session Management. How does your application handle and protect user sessions?
A session refers to a set of related interactions between a user and your application.
You can use these questions and answers to make key security design decisions
for your application, and document these are part of your architecture. For example,
Logical Layered Design
Presentation, Business, and Data Layers
In the end I did something like this for my ASP.NET application:
