B
Benjamin Gavin
Hi all,
I am running into a rather bizarre problem with one of my web
applications. I'm in the process of applying the
PrincipalPermissionAttribute to a number of pages [at the class level]
and I've stumbled into a roadblock.
Problem Setup:
Forms Authentication
Windows XP sp1 + .NET 1.1 SP1
Problem Description:
When I access a page that I control via the
PrincipalPermissionAttribute, I get a very specific set of errors, and
the error always occurs at the same location. The principal permission
attribute is declared as:
<PrincipalPermissionAttribute(SecurityAction.Demand,
Role:=SecurityRoles.Authorized)> _
Public Class Foo
Inherits App_Base ' which inherits from System.Web.UI.Page
What happens is that the code begins to execute normally. It calls an
private function which handles data binding and sets up a property on a
custom paging control. This same control has already been accessed in
the Page_Load event, but in this particular function the call suddenly
fails with a SecurityException [which is then caught and a call to a
generic error display routine is tried which also fails with a
SecurityException].
If I switch the declaration above to:
<PrincipalPermission(SecurityAction.Demand, Authenticated:=True)>
Everything works fine. If I switch it back to the original code and add
the following into the Page_Load() event:
Dim perm As New PrincipalPermission(Nothing, SecurityRoles.Authorized)
perm.Demand()
Again, the perm.Demand() succeeds, but the call further down the page
[with the Page_Load event which did the original demand being in the
call-stack] fails with the doubled security exception again.
What is going on here? The same code I am using here was used without a
problem on previous projects and I never ran into this issue. The
imperative security that I put in Page_Load() succeeds, yet the
declarative security causes a failure...
Additionally, if the declarative security were to fail at any point, I
am a little concerned that logic from the Page_Load event is getting
fired when clearly there is something wrong with the
permission/principal object which is causing the error... It would seem
to me that it should be an "all or nothing" thing, not a "we'll go for a
while, and at some point I'll let you know that you don't actually have
permission to do what it is you are doing..."
Thanks!
Ben
I am running into a rather bizarre problem with one of my web
applications. I'm in the process of applying the
PrincipalPermissionAttribute to a number of pages [at the class level]
and I've stumbled into a roadblock.
Problem Setup:
Forms Authentication
Windows XP sp1 + .NET 1.1 SP1
Problem Description:
When I access a page that I control via the
PrincipalPermissionAttribute, I get a very specific set of errors, and
the error always occurs at the same location. The principal permission
attribute is declared as:
<PrincipalPermissionAttribute(SecurityAction.Demand,
Role:=SecurityRoles.Authorized)> _
Public Class Foo
Inherits App_Base ' which inherits from System.Web.UI.Page
What happens is that the code begins to execute normally. It calls an
private function which handles data binding and sets up a property on a
custom paging control. This same control has already been accessed in
the Page_Load event, but in this particular function the call suddenly
fails with a SecurityException [which is then caught and a call to a
generic error display routine is tried which also fails with a
SecurityException].
If I switch the declaration above to:
<PrincipalPermission(SecurityAction.Demand, Authenticated:=True)>
Everything works fine. If I switch it back to the original code and add
the following into the Page_Load() event:
Dim perm As New PrincipalPermission(Nothing, SecurityRoles.Authorized)
perm.Demand()
Again, the perm.Demand() succeeds, but the call further down the page
[with the Page_Load event which did the original demand being in the
call-stack] fails with the doubled security exception again.
What is going on here? The same code I am using here was used without a
problem on previous projects and I never ran into this issue. The
imperative security that I put in Page_Load() succeeds, yet the
declarative security causes a failure...
Additionally, if the declarative security were to fail at any point, I
am a little concerned that logic from the Page_Load event is getting
fired when clearly there is something wrong with the
permission/principal object which is causing the error... It would seem
to me that it should be an "all or nothing" thing, not a "we'll go for a
while, and at some point I'll let you know that you don't actually have
permission to do what it is you are doing..."
Thanks!
Ben