Hi all,

Am trying to implement some security on my program.  This program will
be run on a number of machines across the globe.  I have created a
number of user groups which contain the access priveleges of the
windows users but as they are not builtin groups I cannot do as below!

<PrincipalPermissionAttribute(SecurityAction.Demand, _
   Role := "BUILTIN\Backup Operators")> _

What I need to know is how can I change the Role attribute to look at
my user-defined groups instead of the builtin groups? And as i dont
know the Domains that users are working in, How do I add that to the
attribute????  Really need something like below but it doesnt work:

<PrincipalPermissionAttribute(SecurityAction.Demand, _
   Role := "AllowedCreation")> _

Thank you

Dave

That's why in real applications the PrincipalPermission attribute is rarely
used - there are 2 implications

a) attributes are embedded in meta data at compile time - there is no way
to make them somehow dynamic at runtime
b) this leads to 2 problems - you have to hardcode domain/machine names -
and even BUILTIN\ will not work because those names are localized - and the
role check will fail on a non-english Windows

Builtin\Backup Operators (english) == Vordefiniert\Sicherungsoperatoren (german)

Use the attribute only for checking the Authenticated property

For everything else use Thread.CurrentPrincipal.IsInRole (and in 2.0 the
overload of WindowsPrincipal.IsInRole that takes SIDs also makes you locale
independent)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

Thank you Dom, I thought as much.

OK, Another related question.

My application is using the windows users as its user list.  Meaning
you can log onto windows as say Alice but when you come to opening my
application you can log on as either Alice or Bob (Another windows user
on the same machine) I've confirmed Bob's password by using LogonUser,
however when I come to use CurrentPrincipal.IsInRole, it is reverting
back to Alices permissions as she is the logged on user in windows.
How do I make the CurrentPrincipal thing look at Bob instead?  I tried
Impersonating Bob with WindowsPrincipal but also to no avail.

that's an odd design ;)

ok - LogonUser returns a token . you can use this token to create a WindowsIdentity.

wrap the WindowsIdentity with a WindowsPrincipal and assign it to Thread.CurrentPrincipal.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

dont ask me about the design, its not mine.... i was quite happy just
using the current user logged in..... made more sense to me but there
you go!

thanks dom

Can I tell if a user came thru a secure site?
How to troubleshoot 401 error when connecting using NetworkCredent
.NET app on a shared directory.
if I encrypt key data why do I want or need SSL?
Strange problem with X509Certificate2 on Windows 2003
Security issue running unmanaged code in a win form ctrl hosted in
SecurityPermission problem
How to encrypt a string with ProtectedData (.NET 2.0)
JavaScience CD versus book
RSACryptoServiceProvider functioning differently in 2005 (vs.2003)