PrincipalPermission trouble

[Viorel Ghilas]

Hi all,

I have a library that have methods protected with PrincipalPermission, for
ex.
[PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
public Guid GetAdminId() {
return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
}

and I have a web app that create an user with a role on login. The problem
is that after one user with "DBAdmin" role call GetAdminId then after it
every user with every role that are loged in system could call this method.
How can I resolve this problem. If I put Demand otherwise LinkDemand it will
work, but I dont use because of performance reason. I suppose that .NET
cached method calls with it's securiy permissions? Sure I protect web pages
with authorization mecanism, but the library will be used with other person,
and all validation must be on business layer. One solution is to use my
customer imperative security mecanism. But I want to know what is wrong?

With best regards
Viorel

 

[Dominick Baier [DevelopMentor]]

Hello Viorel,


LinkDemand does not make sense here.

Use SecurityAction.Demand - this will look at Thread.CurrentPrincipal and
call IsInRole("DBAdmin").

Be aware that if you go for attributes, you have to hardcode the role name.

 

[Viorel Ghilas]

Hi

It's not a problem for hardocored roles, becaues I use constants. I decide
to move from declarative security to imperative, with my own CheckSecurity
method.

With best reagards
Viorel

Hello Viorel,


LinkDemand does not make sense here.

Use SecurityAction.Demand - this will look at Thread.CurrentPrincipal and
call IsInRole("DBAdmin").

Be aware that if you go for attributes, you have to hardcode the role name.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi all,

I have a library that have methods protected with PrincipalPermission,
for
ex.
[PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
public Guid GetAdminId() {
return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
}
and I have a web app that create an user with a role on login. The
problem is that after one user with "DBAdmin" role call GetAdminId
then after it every user with every role that are loged in system
could call this method. How can I resolve this problem. If I put
Demand otherwise LinkDemand it will work, but I dont use because of
performance reason. I suppose that .NET cached method calls with it's
securiy permissions? Sure I protect web pages with authorization
mecanism, but the library will be used with other person, and all
validation must be on business layer. One solution is to use my
customer imperative security mecanism. But I want to know what is
wrong?

With best regards
Viorel

 

[Dominick Baier [DevelopMentor]]

Hello Viorel,

so consts are not hardcoded ?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi

It's not a problem for hardocored roles, becaues I use constants. I
decide to move from declarative security to imperative, with my own
CheckSecurity method.

With best reagards
Viorel

Hello Viorel,

LinkDemand does not make sense here.

Use SecurityAction.Demand - this will look at Thread.CurrentPrincipal
and call IsInRole("DBAdmin").

Be aware that if you go for attributes, you have to hardcode the role
name.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi all,

I have a library that have methods protected with
PrincipalPermission,
for
ex.
[PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
public Guid GetAdminId() {
return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
}
and I have a web app that create an user with a role on login. The
problem is that after one user with "DBAdmin" role call GetAdminId
then after it every user with every role that are loged in system
could call this method. How can I resolve this problem. If I put
Demand otherwise LinkDemand it will work, but I dont use because of
performance reason. I suppose that .NET cached method calls with
it's
securiy permissions? Sure I protect web pages with authorization
mecanism, but the library will be used with other person, and all
validation must be on business layer. One solution is to use my
customer imperative security mecanism. But I want to know what is
wrong?
With best regards
Viorel

 

[Viorel Ghilas]

Hi Dominick

I meant that I don't change all code if I need to modify some role name. In
my case I have a set of well-known roles.

Hello Viorel,

so consts are not hardcoded ?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi

It's not a problem for hardocored roles, becaues I use constants. I
decide to move from declarative security to imperative, with my own
CheckSecurity method.

With best reagards
Viorel

Hello Viorel,

LinkDemand does not make sense here.

Use SecurityAction.Demand - this will look at Thread.CurrentPrincipal
and call IsInRole("DBAdmin").

Be aware that if you go for attributes, you have to hardcode the role
name.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi all,

I have a library that have methods protected with
PrincipalPermission,
for
ex.
[PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
public Guid GetAdminId() {
return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
}
and I have a web app that create an user with a role on login. The
problem is that after one user with "DBAdmin" role call GetAdminId
then after it every user with every role that are loged in system
could call this method. How can I resolve this problem. If I put
Demand otherwise LinkDemand it will work, but I dont use because of
performance reason. I suppose that .NET cached method calls with
it's
securiy permissions? Sure I protect web pages with authorization
mecanism, but the library will be used with other person, and all
validation must be on business layer. One solution is to use my
customer imperative security mecanism. But I want to know what is
wrong?
With best regards
Viorel