|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Re: Custom IPrincipal and declarative security checkingDo you have a practical example of code that demands PrincipalPermission before HttpApplication.SetPrincipalOnThread is run (besides code you've written yourself in AuthenticateRequest) ? --- Dominick Baier - DevelopMentor http://www.leastprivilege.com nntp://news.microsoft.com/microsoft.public.dotnet.security/<epHQWZiKFHA.4***@tk2msftngp13.phx.gbl> It's possible to run into trouble if one relies on this mechanism alone since code that demands PrincipalPermission can be executed before HttpApplication.SetPrincipalOnThread is run. Show quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> [microsoft.public.dotnet.security]wrote in message news:138135632465227438566637@news.microsoft.com... > Hello Baileys, > > only apply your IPrincipal impl to Context.User - > there is a undocumented event "DefaultAuthentication" that fires directly > after AuthenticateRequest that copies Context.User to > Thread.CurrentPrincipal. > > > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> Hi, >> >> I'm having trouble getting declarative checks (using >> PrinciplePermissionAttribute) to work with my custom IPrincipal >> implementation in a web scenario. >> >> I created a custom principal class (MyPrincipal), implementing the >> IPrincipal interface >> I added code to the global.asax Application_AuthenticateRequest >> handler to >> construct an instance of MyPrincipal, and assign this instance to >> Context.User (also tried assigning the instance to both Context.User >> and >> Thread.CurrentPrincipal). >> I've got a class (MyClass) defined as follows: >> public class MyClass >> { >> [PrincipalPermission(SecurityAction.Demand, Role="Admin")] >> public static void MyMethod() >> { >> // do stuff >> } >> } >> I have got a web page containing the following code in Page_Load: >> >> bool test = Thread.CurrentPrincipal.IsInRole("Admin"); // 1. works >> (test=true) bool test2 = Context.User.IsInRole("Admin"); >> // 2. works (test2=true) >> >> PrincipalPermission p = new PrincipalPermission(null, "Admin"); >> p.Demand(); >> // 3 .Fails >> >> MyClass.MyMethod() // >> 4. Fails >> >> The last 2 methods (using PrincipalPermission.Demand and calling the >> MyMethod) fail with a security exception ( Exception Details: >> System.Security.SecurityException: Request for principal permission >> failed.). >> >> I was under the impression that PrincipalPermissionAttribute class >> would work with every implementation of IPrinciple, and not just with >> the WindowsPrincipal & GenericPrincipal, is that correct? >> >> Am i missing something obvious here? Would especially be grateful for >> links to docs exploring .NET security with custom implementations of >> different security related classes... >> >> Thanks in advance, all help welcome... >> >> Baileys. >> > > > "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> Assuming that the context user is ever used, sure. However, I've never seen wrote in message news:OwuxZziKFHA.244@TK2MSFTNGP12.phx.gbl... > My point is that you run in even bigger trouble when you only copy the > IPrincipal to Thread.CurrentPrincipal - a common mistake i have seen. this done, probably because all the examples show use of the context user rather than the thread principal. <g> > Do you have a practical example of code that demands PrincipalPermission Actually, that's exactly the most common scenario I've seen: calling a > before > HttpApplication.SetPrincipalOnThread is run (besides code you've written > yourself in AuthenticateRequest) ? method that demands PrincipalPermission from the AuthenticateRequest method. In addition, it seems at least some folks set the context user outside AuthenticateRequest (see, for example, http://www.hanselman.com/blog/CommentView,guid,22c42b73-4004-40ce-8af9-47f1b9b434ed.aspx and http://weblogs.threepines.net/taba/archive/2004/09/10/270.aspx). Show quote > > --- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > nntp://news.microsoft.com/microsoft.public.dotnet.security/<epHQWZiKFHA.4***@tk2msftngp13.phx.gbl> > > It's possible to run into trouble if one relies on this mechanism alone > since code that demands PrincipalPermission can be executed before > HttpApplication.SetPrincipalOnThread is run. > > > "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> > wrote in message news:138135632465227438566637@news.microsoft.com... > > Hello Baileys, > > > > only apply your IPrincipal impl to Context.User - > > there is a undocumented event "DefaultAuthentication" that fires > > directly > > after AuthenticateRequest that copies Context.User to > > Thread.CurrentPrincipal. > > > > > > > > --------------------------------------- > > Dominick Baier - DevelopMentor > > http://www.leastprivilege.com > > > >> Hi, > >> > >> I'm having trouble getting declarative checks (using > >> PrinciplePermissionAttribute) to work with my custom IPrincipal > >> implementation in a web scenario. > >> > >> I created a custom principal class (MyPrincipal), implementing the > >> IPrincipal interface > >> I added code to the global.asax Application_AuthenticateRequest > >> handler to > >> construct an instance of MyPrincipal, and assign this instance to > >> Context.User (also tried assigning the instance to both Context.User > >> and > >> Thread.CurrentPrincipal). > >> I've got a class (MyClass) defined as follows: > >> public class MyClass > >> { > >> [PrincipalPermission(SecurityAction.Demand, Role="Admin")] > >> public static void MyMethod() > >> { > >> // do stuff > >> } > >> } > >> I have got a web page containing the following code in Page_Load: > >> > >> bool test = Thread.CurrentPrincipal.IsInRole("Admin"); // 1. works > >> (test=true) bool test2 = Context.User.IsInRole("Admin"); > >> // 2. works (test2=true) > >> > >> PrincipalPermission p = new PrincipalPermission(null, "Admin"); > >> p.Demand(); > >> // 3 .Fails > >> > >> MyClass.MyMethod() // > >> 4. Fails > >> > >> The last 2 methods (using PrincipalPermission.Demand and calling the > >> MyMethod) fail with a security exception ( Exception Details: > >> System.Security.SecurityException: Request for principal permission > >> failed.). > >> > >> I was under the impression that PrincipalPermissionAttribute class > >> would work with every implementation of IPrinciple, and not just with > >> the WindowsPrincipal & GenericPrincipal, is that correct? > >> > >> Am i missing something obvious here? Would especially be grateful for > >> links to docs exploring .NET security with custom implementations of > >> different security related classes... > >> > >> Thanks in advance, all help welcome... > >> > >> Baileys. > >> > > > > > > > > > > > [microsoft.public.dotnet.security]  |
|||||||||||||||||||||||
Other interesting topics