Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > PrincipalPermission trouble

Reply
Thread Tools

PrincipalPermission trouble

 
 
Viorel Ghilas
Guest
Posts: n/a
 
      06-16-2005
Hi all,

I have a library that have methods protected with PrincipalPermission, for
ex.
[PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
public Guid GetAdminId() {
return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
}

and I have a web app that create an user with a role on login. The problem
is that after one user with "DBAdmin" role call GetAdminId then after it
every user with every role that are loged in system could call this method.
How can I resolve this problem. If I put Demand otherwise LinkDemand it will
work, but I dont use because of performance reason. I suppose that .NET
cached method calls with it's securiy permissions? Sure I protect web pages
with authorization mecanism, but the library will be used with other person,
and all validation must be on business layer. One solution is to use my
customer imperative security mecanism. But I want to know what is wrong?

With best regards
Viorel


 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      06-18-2005
Hello Viorel,


LinkDemand does not make sense here.

Use SecurityAction.Demand - this will look at Thread.CurrentPrincipal and
call IsInRole("DBAdmin").

Be aware that if you go for attributes, you have to hardcode the role name.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi all,
>
> I have a library that have methods protected with PrincipalPermission,
> for
> ex.
> [PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
> public Guid GetAdminId() {
> return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
> }
> and I have a web app that create an user with a role on login. The
> problem is that after one user with "DBAdmin" role call GetAdminId
> then after it every user with every role that are loged in system
> could call this method. How can I resolve this problem. If I put
> Demand otherwise LinkDemand it will work, but I dont use because of
> performance reason. I suppose that .NET cached method calls with it's
> securiy permissions? Sure I protect web pages with authorization
> mecanism, but the library will be used with other person, and all
> validation must be on business layer. One solution is to use my
> customer imperative security mecanism. But I want to know what is
> wrong?
>
> With best regards
> Viorel




 
Reply With Quote
 
 
 
 
Viorel Ghilas
Guest
Posts: n/a
 
      06-20-2005
Hi

It's not a problem for hardocored roles, becaues I use constants. I decide
to move from declarative security to imperative, with my own CheckSecurity
method.

With best reagards
Viorel

"Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
wrote in message news:(E-Mail Removed).. .
> Hello Viorel,
>
>
> LinkDemand does not make sense here.
>
> Use SecurityAction.Demand - this will look at Thread.CurrentPrincipal and
> call IsInRole("DBAdmin").
>
> Be aware that if you go for attributes, you have to hardcode the role

name.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi all,
> >
> > I have a library that have methods protected with PrincipalPermission,
> > for
> > ex.
> > [PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
> > public Guid GetAdminId() {
> > return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
> > }
> > and I have a web app that create an user with a role on login. The
> > problem is that after one user with "DBAdmin" role call GetAdminId
> > then after it every user with every role that are loged in system
> > could call this method. How can I resolve this problem. If I put
> > Demand otherwise LinkDemand it will work, but I dont use because of
> > performance reason. I suppose that .NET cached method calls with it's
> > securiy permissions? Sure I protect web pages with authorization
> > mecanism, but the library will be used with other person, and all
> > validation must be on business layer. One solution is to use my
> > customer imperative security mecanism. But I want to know what is
> > wrong?
> >
> > With best regards
> > Viorel

>
>
>



 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      06-20-2005
Hello Viorel,

so consts are not hardcoded ?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi
>
> It's not a problem for hardocored roles, becaues I use constants. I
> decide to move from declarative security to imperative, with my own
> CheckSecurity method.
>
> With best reagards
> Viorel
> "Dominick Baier [DevelopMentor]"
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed).. .
>
>> Hello Viorel,
>>
>> LinkDemand does not make sense here.
>>
>> Use SecurityAction.Demand - this will look at Thread.CurrentPrincipal
>> and call IsInRole("DBAdmin").
>>
>> Be aware that if you go for attributes, you have to hardcode the role
>>

> name.
>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hi all,
>>>
>>> I have a library that have methods protected with
>>> PrincipalPermission,
>>> for
>>> ex.
>>> [PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
>>> public Guid GetAdminId() {
>>> return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
>>> }
>>> and I have a web app that create an user with a role on login. The
>>> problem is that after one user with "DBAdmin" role call GetAdminId
>>> then after it every user with every role that are loged in system
>>> could call this method. How can I resolve this problem. If I put
>>> Demand otherwise LinkDemand it will work, but I dont use because of
>>> performance reason. I suppose that .NET cached method calls with
>>> it's
>>> securiy permissions? Sure I protect web pages with authorization
>>> mecanism, but the library will be used with other person, and all
>>> validation must be on business layer. One solution is to use my
>>> customer imperative security mecanism. But I want to know what is
>>> wrong?
>>> With best regards
>>> Viorel




 
Reply With Quote
 
Viorel Ghilas
Guest
Posts: n/a
 
      06-20-2005
Hi Dominick

I meant that I don't change all code if I need to modify some role name. In
my case I have a set of well-known roles.


"Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
wrote in message news:(E-Mail Removed).. .
> Hello Viorel,
>
> so consts are not hardcoded ?
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi
> >
> > It's not a problem for hardocored roles, becaues I use constants. I
> > decide to move from declarative security to imperative, with my own
> > CheckSecurity method.
> >
> > With best reagards
> > Viorel
> > "Dominick Baier [DevelopMentor]"
> > <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed).. .
> >
> >> Hello Viorel,
> >>
> >> LinkDemand does not make sense here.
> >>
> >> Use SecurityAction.Demand - this will look at Thread.CurrentPrincipal
> >> and call IsInRole("DBAdmin").
> >>
> >> Be aware that if you go for attributes, you have to hardcode the role
> >>

> > name.
> >
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> Hi all,
> >>>
> >>> I have a library that have methods protected with
> >>> PrincipalPermission,
> >>> for
> >>> ex.
> >>> [PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
> >>> public Guid GetAdminId() {
> >>> return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
> >>> }
> >>> and I have a web app that create an user with a role on login. The
> >>> problem is that after one user with "DBAdmin" role call GetAdminId
> >>> then after it every user with every role that are loged in system
> >>> could call this method. How can I resolve this problem. If I put
> >>> Demand otherwise LinkDemand it will work, but I dont use because of
> >>> performance reason. I suppose that .NET cached method calls with
> >>> it's
> >>> securiy permissions? Sure I protect web pages with authorization
> >>> mecanism, but the library will be used with other person, and all
> >>> validation must be on business layer. One solution is to use my
> >>> customer imperative security mecanism. But I want to know what is
> >>> wrong?
> >>> With best regards
> >>> Viorel

>
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help on PrincipalPermission Demand Throwing Exception Abba Biya MCTS 1 02-07-2007 10:05 PM
PrincipalPermission on WebMethods Jess ASP .Net Web Services 0 09-11-2006 05:15 PM
i have no trouble to send , ihave trouble reciving mail --any ideas John Penney Computer Support 4 08-29-2006 08:45 PM
Problem with PrincipalPermission Attribute (cannot resolve IsInRole) Peter Zuber ASP .Net Security 2 06-08-2005 06:53 AM
trouble with caching or caching the trouble Hypo ASP .Net 6 08-01-2003 07:11 AM



Advertisments