isInRole doesn't work for one user, but works for everyone else

Discussion in 'ASP .Net Security' started by Dominick Baier, Sep 17, 2004.

  1. Hi,

    i must admin - i don't really understand your logic.

    why don't you just call User.IsInRole("role"); ???

    another note - the documentation states that your are only allowed to call SetPrincipalPolicy once per AppDomain - maybe something is wrong here...

    You only have to call SetPrincipalPolicy if no plumbing has populated Thread.CurrentPrincipal for you (e.g. in a console / winforms app) - but ASP.NET does that.



    ---
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<>

    I have an ASP.NET/C# application in which I verify that the current user is a
    member of a list of roles before giving them access to particular functions
    of the application (read vs update). I am using the IsInRole method of the
    IPrincipal object to check for role membership. Currently, I am just
    checking the domain/username against a list of domain/usernames, and will
    eventually created Groups.

    This is working well for all users, except one. Although my application is
    correctly identifying this user with the correct domain/username, the
    isinrole call returns false.

    My code is below:

    from the .aspx.cs:

    private void Page_Load(object sender, System.EventArgs e)
    {
    if (!((Security)(Application["security"])).userInRole("edit",
    HttpContext.Current.User))
    edit = false;
    else
    edit = true;


    }

    This code is from a C# object (called "Security") and is called from the
    page above:


    public Boolean userInRole(String role, IPrincipal principal)
    {
    Boolean inRole = false;

    AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);

    //get users from hashtable
    String[] users = (String[])securityRolesMap[role];

    //loop through users to see is the current user matches

    for(int i=0;i< users.Length;i++)
    {
    String user = users;
    if (principal.IsInRole(users.ToLower()))
    {
    inRole = true;
    break;
    }
    }

    return inRole;

    }


    Any ideas why this would work okay for everyone except one user?


    [microsoft.public.dotnet.framework.aspnet.security]
     
    Dominick Baier, Sep 17, 2004
    #1
    1. Advertising

  2. Dominick Baier

    petersonrj Guest

    Dominick,

    Thanks for the information on SetPrincipalPolicy method. I removed that
    from my code.

    The userInRole method that I created is intended to be a reusable method
    throughout my application, as I need this functionality in multiple places.
    So, I really am just calling User.IsInRole("role") since User is an
    IPrincipal.

    For the user for which the call wasn't working, I created an AD group and
    added them as a member. The isInRole works fine for that user when comparing
    to a group, just not against their user id. I'm still not sure why, but at
    least I've got the app working.

    Thanks for your help!


    "Dominick Baier" wrote:

    > Hi,
    >
    > i must admin - i don't really understand your logic.
    >
    > why don't you just call User.IsInRole("role"); ???
    >
    > another note - the documentation states that your are only allowed to call SetPrincipalPolicy once per AppDomain - maybe something is wrong here...
    >
    > You only have to call SetPrincipalPolicy if no plumbing has populated Thread.CurrentPrincipal for you (e.g. in a console / winforms app) - but ASP.NET does that.
    >
    >
    >
    > ---
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<>
    >
    > I have an ASP.NET/C# application in which I verify that the current user is a
    > member of a list of roles before giving them access to particular functions
    > of the application (read vs update). I am using the IsInRole method of the
    > IPrincipal object to check for role membership. Currently, I am just
    > checking the domain/username against a list of domain/usernames, and will
    > eventually created Groups.
    >
    > This is working well for all users, except one. Although my application is
    > correctly identifying this user with the correct domain/username, the
    > isinrole call returns false.
    >
    > My code is below:
    >
    > from the .aspx.cs:
    >
    > private void Page_Load(object sender, System.EventArgs e)
    > {
    > if (!((Security)(Application["security"])).userInRole("edit",
    > HttpContext.Current.User))
    > edit = false;
    > else
    > edit = true;
    >
    >
    > }
    >
    > This code is from a C# object (called "Security") and is called from the
    > page above:
    >
    >
    > public Boolean userInRole(String role, IPrincipal principal)
    > {
    > Boolean inRole = false;
    >
    > AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
    >
    > //get users from hashtable
    > String[] users = (String[])securityRolesMap[role];
    >
    > //loop through users to see is the current user matches
    >
    > for(int i=0;i< users.Length;i++)
    > {
    > String user = users;
    > if (principal.IsInRole(users.ToLower()))
    > {
    > inRole = true;
    > break;
    > }
    > }
    >
    > return inRole;
    >
    > }
    >
    >
    > Any ideas why this would work okay for everyone except one user?
    >
    >
    > [microsoft.public.dotnet.framework.aspnet.security]
    >
     
    petersonrj, Sep 21, 2004
    #2
    1. Advertising

  3. Have u set ur IIS settings..
    Go the Virtual Directory ur aplication is on IIS and clear the check box
    Anonymous Access

    "petersonrj" <> wrote in message
    news:...
    > Dominick,
    >
    > Thanks for the information on SetPrincipalPolicy method. I removed that
    > from my code.
    >
    > The userInRole method that I created is intended to be a reusable method
    > throughout my application, as I need this functionality in multiple

    places.
    > So, I really am just calling User.IsInRole("role") since User is an
    > IPrincipal.
    >
    > For the user for which the call wasn't working, I created an AD group and
    > added them as a member. The isInRole works fine for that user when

    comparing
    > to a group, just not against their user id. I'm still not sure why, but

    at
    > least I've got the app working.
    >
    > Thanks for your help!
    >
    >
    > "Dominick Baier" wrote:
    >
    > > Hi,
    > >
    > > i must admin - i don't really understand your logic.
    > >
    > > why don't you just call User.IsInRole("role"); ???
    > >
    > > another note - the documentation states that your are only allowed to

    call SetPrincipalPolicy once per AppDomain - maybe something is wrong
    here...
    > >
    > > You only have to call SetPrincipalPolicy if no plumbing has populated

    Thread.CurrentPrincipal for you (e.g. in a console / winforms app) - but
    ASP.NET does that.
    > >
    > >
    > >
    > > ---
    > > Dominick Baier - DevelopMentor
    > > http://www.leastprivilege.com
    > >
    > >

    nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/
    <>
    > >
    > > I have an ASP.NET/C# application in which I verify that the current

    user is a
    > > member of a list of roles before giving them access to particular

    functions
    > > of the application (read vs update). I am using the IsInRole method of

    the
    > > IPrincipal object to check for role membership. Currently, I am just
    > > checking the domain/username against a list of domain/usernames, and

    will
    > > eventually created Groups.
    > >
    > > This is working well for all users, except one. Although my application

    is
    > > correctly identifying this user with the correct domain/username, the
    > > isinrole call returns false.
    > >
    > > My code is below:
    > >
    > > from the .aspx.cs:
    > >
    > > private void Page_Load(object sender, System.EventArgs e)
    > > {
    > > if (!((Security)(Application["security"])).userInRole("edit",
    > > HttpContext.Current.User))
    > > edit = false;
    > > else
    > > edit = true;
    > >
    > >
    > > }
    > >
    > > This code is from a C# object (called "Security") and is called from

    the
    > > page above:
    > >
    > >
    > > public Boolean userInRole(String role, IPrincipal principal)
    > > {
    > > Boolean inRole = false;
    > >
    > >

    AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal)
    ;
    > >
    > > //get users from hashtable
    > > String[] users = (String[])securityRolesMap[role];
    > >
    > > //loop through users to see is the current user matches
    > >
    > > for(int i=0;i< users.Length;i++)
    > > {
    > > String user = users;
    > > if (principal.IsInRole(users.ToLower()))
    > > {
    > > inRole = true;
    > > break;
    > > }
    > > }
    > >
    > > return inRole;
    > >
    > > }
    > >
    > >
    > > Any ideas why this would work okay for everyone except one user?
    > >
    > >
    > > [microsoft.public.dotnet.framework.aspnet.security]
    > >
     
    Patrick.O.Ige, Oct 21, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter Bons
    Replies:
    1
    Views:
    516
    Patrick.O.Ige
    Mar 31, 2006
  2. Ufit
    Replies:
    1
    Views:
    812
  3. Peter Bradley
    Replies:
    2
    Views:
    1,261
    Peter Bradley
    Jan 19, 2007
  4. alexb

    IsInRole doesn't works correctly

    alexb, May 10, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    170
    alexb
    May 16, 2004
  5. petersonrj
    Replies:
    0
    Views:
    141
    petersonrj
    Sep 17, 2004
Loading...

Share This Page