PrincipalPermission trouble

Discussion in 'ASP .Net Security' started by Viorel Ghilas, Jun 16, 2005.

  1. Hi all,

    I have a library that have methods protected with PrincipalPermission, for
    ex.
    [PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
    public Guid GetAdminId() {
    return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
    }

    and I have a web app that create an user with a role on login. The problem
    is that after one user with "DBAdmin" role call GetAdminId then after it
    every user with every role that are loged in system could call this method.
    How can I resolve this problem. If I put Demand otherwise LinkDemand it will
    work, but I dont use because of performance reason. I suppose that .NET
    cached method calls with it's securiy permissions? Sure I protect web pages
    with authorization mecanism, but the library will be used with other person,
    and all validation must be on business layer. One solution is to use my
    customer imperative security mecanism. But I want to know what is wrong?

    With best regards
    Viorel
     
    Viorel Ghilas, Jun 16, 2005
    #1
    1. Advertising

  2. Hello Viorel,


    LinkDemand does not make sense here.

    Use SecurityAction.Demand - this will look at Thread.CurrentPrincipal and
    call IsInRole("DBAdmin").

    Be aware that if you go for attributes, you have to hardcode the role name.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi all,
    >
    > I have a library that have methods protected with PrincipalPermission,
    > for
    > ex.
    > [PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
    > public Guid GetAdminId() {
    > return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
    > }
    > and I have a web app that create an user with a role on login. The
    > problem is that after one user with "DBAdmin" role call GetAdminId
    > then after it every user with every role that are loged in system
    > could call this method. How can I resolve this problem. If I put
    > Demand otherwise LinkDemand it will work, but I dont use because of
    > performance reason. I suppose that .NET cached method calls with it's
    > securiy permissions? Sure I protect web pages with authorization
    > mecanism, but the library will be used with other person, and all
    > validation must be on business layer. One solution is to use my
    > customer imperative security mecanism. But I want to know what is
    > wrong?
    >
    > With best regards
    > Viorel
     
    Dominick Baier [DevelopMentor], Jun 18, 2005
    #2
    1. Advertising

  3. Hi

    It's not a problem for hardocored roles, becaues I use constants. I decide
    to move from declarative security to imperative, with my own CheckSecurity
    method.

    With best reagards
    Viorel

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Viorel,
    >
    >
    > LinkDemand does not make sense here.
    >
    > Use SecurityAction.Demand - this will look at Thread.CurrentPrincipal and
    > call IsInRole("DBAdmin").
    >
    > Be aware that if you go for attributes, you have to hardcode the role

    name.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hi all,
    > >
    > > I have a library that have methods protected with PrincipalPermission,
    > > for
    > > ex.
    > > [PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
    > > public Guid GetAdminId() {
    > > return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
    > > }
    > > and I have a web app that create an user with a role on login. The
    > > problem is that after one user with "DBAdmin" role call GetAdminId
    > > then after it every user with every role that are loged in system
    > > could call this method. How can I resolve this problem. If I put
    > > Demand otherwise LinkDemand it will work, but I dont use because of
    > > performance reason. I suppose that .NET cached method calls with it's
    > > securiy permissions? Sure I protect web pages with authorization
    > > mecanism, but the library will be used with other person, and all
    > > validation must be on business layer. One solution is to use my
    > > customer imperative security mecanism. But I want to know what is
    > > wrong?
    > >
    > > With best regards
    > > Viorel

    >
    >
    >
     
    Viorel Ghilas, Jun 20, 2005
    #3
  4. Hello Viorel,

    so consts are not hardcoded ? :)

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi
    >
    > It's not a problem for hardocored roles, becaues I use constants. I
    > decide to move from declarative security to imperative, with my own
    > CheckSecurity method.
    >
    > With best reagards
    > Viorel
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello Viorel,
    >>
    >> LinkDemand does not make sense here.
    >>
    >> Use SecurityAction.Demand - this will look at Thread.CurrentPrincipal
    >> and call IsInRole("DBAdmin").
    >>
    >> Be aware that if you go for attributes, you have to hardcode the role
    >>

    > name.
    >
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi all,
    >>>
    >>> I have a library that have methods protected with
    >>> PrincipalPermission,
    >>> for
    >>> ex.
    >>> [PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
    >>> public Guid GetAdminId() {
    >>> return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
    >>> }
    >>> and I have a web app that create an user with a role on login. The
    >>> problem is that after one user with "DBAdmin" role call GetAdminId
    >>> then after it every user with every role that are loged in system
    >>> could call this method. How can I resolve this problem. If I put
    >>> Demand otherwise LinkDemand it will work, but I dont use because of
    >>> performance reason. I suppose that .NET cached method calls with
    >>> it's
    >>> securiy permissions? Sure I protect web pages with authorization
    >>> mecanism, but the library will be used with other person, and all
    >>> validation must be on business layer. One solution is to use my
    >>> customer imperative security mecanism. But I want to know what is
    >>> wrong?
    >>> With best regards
    >>> Viorel
     
    Dominick Baier [DevelopMentor], Jun 20, 2005
    #4
  5. Hi Dominick

    I meant that I don't change all code if I need to modify some role name. In
    my case I have a set of well-known roles.


    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Viorel,
    >
    > so consts are not hardcoded ? :)
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hi
    > >
    > > It's not a problem for hardocored roles, becaues I use constants. I
    > > decide to move from declarative security to imperative, with my own
    > > CheckSecurity method.
    > >
    > > With best reagards
    > > Viorel
    > > "Dominick Baier [DevelopMentor]"
    > > <> wrote in message
    > > news:...
    > >
    > >> Hello Viorel,
    > >>
    > >> LinkDemand does not make sense here.
    > >>
    > >> Use SecurityAction.Demand - this will look at Thread.CurrentPrincipal
    > >> and call IsInRole("DBAdmin").
    > >>
    > >> Be aware that if you go for attributes, you have to hardcode the role
    > >>

    > > name.
    > >
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> Hi all,
    > >>>
    > >>> I have a library that have methods protected with
    > >>> PrincipalPermission,
    > >>> for
    > >>> ex.
    > >>> [PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
    > >>> public Guid GetAdminId() {
    > >>> return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
    > >>> }
    > >>> and I have a web app that create an user with a role on login. The
    > >>> problem is that after one user with "DBAdmin" role call GetAdminId
    > >>> then after it every user with every role that are loged in system
    > >>> could call this method. How can I resolve this problem. If I put
    > >>> Demand otherwise LinkDemand it will work, but I dont use because of
    > >>> performance reason. I suppose that .NET cached method calls with
    > >>> it's
    > >>> securiy permissions? Sure I protect web pages with authorization
    > >>> mecanism, but the library will be used with other person, and all
    > >>> validation must be on business layer. One solution is to use my
    > >>> customer imperative security mecanism. But I want to know what is
    > >>> wrong?
    > >>> With best regards
    > >>> Viorel

    >
    >
    >
     
    Viorel Ghilas, Jun 20, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. F. Algrøy

    Trouble using the vbTab in string

    F. Algrøy, Jan 4, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    5,451
    William Ryan
    Jan 6, 2004
  2. maol
    Replies:
    0
    Views:
    486
  3. Hypo
    Replies:
    6
    Views:
    423
  4. Peter Zuber
    Replies:
    2
    Views:
    342
    Peter Zuber
    Jun 8, 2005
  5. Jess

    PrincipalPermission on WebMethods

    Jess, Sep 11, 2006, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    311
Loading...

Share This Page