|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Custom IPrincipal and declarative security checkingI'm having trouble getting declarative checks (using PrinciplePermissionAttribute) to work with my custom IPrincipal implementation in a web scenario. I created a custom principal class (MyPrincipal), implementing the IPrincipal interface I added code to the global.asax Application_AuthenticateRequest handler to construct an instance of MyPrincipal, and assign this instance to Context.User (also tried assigning the instance to both Context.User and Thread.CurrentPrincipal). I've got a class (MyClass) defined as follows: public class MyClass { [PrincipalPermission(SecurityAction.Demand, Role="Admin")] public static void MyMethod() { // do stuff } } I have got a web page containing the following code in Page_Load: bool test = Thread.CurrentPrincipal.IsInRole("Admin"); // 1. works (test=true) bool test2 = Context.User.IsInRole("Admin"); // 2. works (test2=true) PrincipalPermission p = new PrincipalPermission(null, "Admin"); p.Demand(); // 3 ..Fails MyClass.MyMethod() // 4. Fails The last 2 methods (using PrincipalPermission.Demand and calling the MyMethod) fail with a security exception ( Exception Details: System.Security.SecurityException: Request for principal permission failed.). I was under the impression that PrincipalPermissionAttribute class would work with every implementation of IPrinciple, and not just with the WindowsPrincipal & GenericPrincipal, is that correct? Am i missing something obvious here? Would especially be grateful for links to docs exploring .NET security with custom implementations of different security related classes... Thanks in advance, all help welcome... Baileys. PrincipalPermission should work against all implementations of IPrincipal,
but it evaluates solely against the thread principal, so you'll absolutely need to use Thread.CurrentPrincipal in addition to (or instead of) the HttpContext user. In order to pass a PrincipalPermission demand, the thread principal will need to match the specified user name and/or role membership, and it will also need to be authenticated (as specified by the IPrincipal.Identity.IsAuthenticated property). I'm guessing that the problem probably lies with a failure to set the IsAuthenticated property for the principal. HTH, Nicole Show quoteHide quote "Baileys" <Bail***@discussions.microsoft.com> wrote in message news:333E0CA6-5E0A-4D87-8CE3-2EEA96129D00@microsoft.com... > Hi, > > I'm having trouble getting declarative checks (using > PrinciplePermissionAttribute) to work with my custom IPrincipal > implementation in a web scenario. > > I created a custom principal class (MyPrincipal), implementing the > IPrincipal interface > I added code to the global.asax Application_AuthenticateRequest handler to > construct an instance of MyPrincipal, and assign this instance to > Context.User (also tried assigning the instance to both Context.User and > Thread.CurrentPrincipal). > I've got a class (MyClass) defined as follows: > > public class MyClass > { > [PrincipalPermission(SecurityAction.Demand, Role="Admin")] > public static void MyMethod() > { > // do stuff > } > } > > I have got a web page containing the following code in Page_Load: > > bool test = Thread.CurrentPrincipal.IsInRole("Admin"); // 1. works > (test=true) > bool test2 = Context.User.IsInRole("Admin"); // 2. works > (test2=true) > > PrincipalPermission p = new PrincipalPermission(null, "Admin"); > p.Demand(); // > 3 > .Fails > > MyClass.MyMethod() // 4. > Fails > > The last 2 methods (using PrincipalPermission.Demand and calling the > MyMethod) fail with a security exception ( Exception Details: > System.Security.SecurityException: Request for principal permission > failed.). > > I was under the impression that PrincipalPermissionAttribute class would > work with every implementation of IPrinciple, and not just with the > WindowsPrincipal & GenericPrincipal, is that correct? > > Am i missing something obvious here? Would especially be grateful for > links > to docs exploring .NET security with custom implementations of different > security related classes... > > Thanks in advance, all help welcome... > > Baileys. > Hello Baileys,
only apply your IPrincipal impl to Context.User - there is a undocumented event "DefaultAuthentication" that fires directly after AuthenticateRequest that copies Context.User to Thread.CurrentPrincipal. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hi, > > I'm having trouble getting declarative checks (using > PrinciplePermissionAttribute) to work with my custom IPrincipal > implementation in a web scenario. > > I created a custom principal class (MyPrincipal), implementing the > IPrincipal interface > I added code to the global.asax Application_AuthenticateRequest > handler to > construct an instance of MyPrincipal, and assign this instance to > Context.User (also tried assigning the instance to both Context.User > and > Thread.CurrentPrincipal). > I've got a class (MyClass) defined as follows: > public class MyClass > { > [PrincipalPermission(SecurityAction.Demand, Role="Admin")] > public static void MyMethod() > { > // do stuff > } > } > I have got a web page containing the following code in Page_Load: > > bool test = Thread.CurrentPrincipal.IsInRole("Admin"); // 1. works > (test=true) bool test2 = Context.User.IsInRole("Admin"); > // 2. works (test2=true) > > PrincipalPermission p = new PrincipalPermission(null, "Admin"); > p.Demand(); > // 3 .Fails > > MyClass.MyMethod() // > 4. Fails > > The last 2 methods (using PrincipalPermission.Demand and calling the > MyMethod) fail with a security exception ( Exception Details: > System.Security.SecurityException: Request for principal permission > failed.). > > I was under the impression that PrincipalPermissionAttribute class > would work with every implementation of IPrinciple, and not just with > the WindowsPrincipal & GenericPrincipal, is that correct? > > Am i missing something obvious here? Would especially be grateful for > links to docs exploring .NET security with custom implementations of > different security related classes... > > Thanks in advance, all help welcome... > > Baileys. > Thanks Nicole and Dominick,
@Nicole, you guessed right, my implementation of IsAuthenticated was buggy, fixed that and everything works as expected... @Dominick, do you happen to have a link to some documentation on that undocumented behavior? rgds, Baileys For documentation of the copying of the context user to the thread
principal, search for the first occurrence of the word "thread" at http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetAP04.asp. Show quoteHide quote "Baileys" <Bail***@discussions.microsoft.com> wrote in message news:AF107FF6-A8D1-481B-AC68-FAD1F18A1A00@microsoft.com... > Thanks Nicole and Dominick, > > @Nicole, you guessed right, my implementation of IsAuthenticated was > buggy, > fixed that and everything works as expected... > > @Dominick, do you happen to have a link to some documentation on that > undocumented behavior? > > rgds, > Baileys It's possible to run into trouble if one relies on this mechanism alone
since code that demands PrincipalPermission can be executed before HttpApplication.SetPrincipalOnThread is run. Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:138135632465227438566637@news.microsoft.com... > Hello Baileys, > > only apply your IPrincipal impl to Context.User - > there is a undocumented event "DefaultAuthentication" that fires directly > after AuthenticateRequest that copies Context.User to > Thread.CurrentPrincipal. > > > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> Hi, >> >> I'm having trouble getting declarative checks (using >> PrinciplePermissionAttribute) to work with my custom IPrincipal >> implementation in a web scenario. >> >> I created a custom principal class (MyPrincipal), implementing the >> IPrincipal interface >> I added code to the global.asax Application_AuthenticateRequest >> handler to >> construct an instance of MyPrincipal, and assign this instance to >> Context.User (also tried assigning the instance to both Context.User >> and >> Thread.CurrentPrincipal). >> I've got a class (MyClass) defined as follows: >> public class MyClass >> { >> [PrincipalPermission(SecurityAction.Demand, Role="Admin")] >> public static void MyMethod() >> { >> // do stuff >> } >> } >> I have got a web page containing the following code in Page_Load: >> >> bool test = Thread.CurrentPrincipal.IsInRole("Admin"); // 1. works >> (test=true) bool test2 = Context.User.IsInRole("Admin"); >> // 2. works (test2=true) >> >> PrincipalPermission p = new PrincipalPermission(null, "Admin"); >> p.Demand(); >> // 3 .Fails >> >> MyClass.MyMethod() // >> 4. Fails >> >> The last 2 methods (using PrincipalPermission.Demand and calling the >> MyMethod) fail with a security exception ( Exception Details: >> System.Security.SecurityException: Request for principal permission >> failed.). >> >> I was under the impression that PrincipalPermissionAttribute class >> would work with every implementation of IPrinciple, and not just with >> the WindowsPrincipal & GenericPrincipal, is that correct? >> >> Am i missing something obvious here? Would especially be grateful for >> links to docs exploring .NET security with custom implementations of >> different security related classes... >> >> Thanks in advance, all help welcome... >> >> Baileys. >> > > > 
Other interesting topics
Error instantiating RSACryptoServiceProvider
Error from CAS Config util Newbie error on output Running programs located on server why i get UnauthorizedAccess Exception? Code Access Security - User Policy Level best practice for encrypting in app Secure files on virtual Howto secure a local file? Error registering ServicedComponent |
|||||||||||||||||||||||
