WindowsPrincipal m_roles, m_rolesTable, m_rolesLoaded question

Discussion in 'ASP .Net Security' started by costasz@gmail.com, Sep 28, 2006.

  1. Guest

    We have these ASP.Net 1.1 apps that use ADS authentication. There was
    a requirement to load ALL the roles for a particular user. We had used
    reflection to get to the Principal's m_roles field to get them. Now,
    we're running in ASP.Net 2.0 and I see that m_roles is null,
    m_rolesTable is null and m_rolesLoaded is false. The Principal object
    looks good to me otherwise. Any ideas?

    Thanks

    Costas
    , Sep 28, 2006
    #1
    1. Advertising

  2. Joe Kaplan Guest

    This is what you get for using reflection against private members in
    production code. :)

    What you should do in .NET 2.0 is cast the Identity member to a
    WindowsIdentity and access the Groups property. That will give you an
    IdentityReferenceCollection containing the groups as SecurityIdentifier
    objects. You can then use the Translate method on the collection class to
    translate them to NTAccount objects and get the friendly names.

    This method will also work going forward, since you will be using a
    documented public interface.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    <> wrote in message
    news:...
    > We have these ASP.Net 1.1 apps that use ADS authentication. There was
    > a requirement to load ALL the roles for a particular user. We had used
    > reflection to get to the Principal's m_roles field to get them. Now,
    > we're running in ASP.Net 2.0 and I see that m_roles is null,
    > m_rolesTable is null and m_rolesLoaded is false. The Principal object
    > looks good to me otherwise. Any ideas?
    >
    > Thanks
    >
    > Costas
    >
    Joe Kaplan, Sep 28, 2006
    #2
    1. Advertising

  3. Guest

    Awesome, thanks, I'll try it on Friday.

    Isn't it bizarre that the roles collection is not available as a read
    only property?


    Thanks


    CZ
    , Sep 30, 2006
    #3
  4. Joe Kaplan Guest

    Re: Awesome, thanks, I'll try it on Friday.

    It is an eternal mystery, although I'm sure there is a reason. Maybe D.
    knows? :)

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    <> wrote in message
    news:...
    > Isn't it bizarre that the roles collection is not available as a read
    > only property?
    >
    >
    > Thanks
    >
    >
    > CZ
    >
    Joe Kaplan, Oct 2, 2006
    #4
  5. Re: Awesome, thanks, I'll try it on Friday.

    Well - it is available. just as SIDs.

    Since it requires network roundtrips to translate SIDs to the "names" - it
    makes sense to me to explicitly request the information...



    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > It is an eternal mystery, although I'm sure there is a reason. Maybe
    > D. knows? :)
    >
    > Joe K.
    >
    Dominick Baier, Oct 2, 2006
    #5
  6. Joe Kaplan Guest

    Re: Awesome, thanks, I'll try it on Friday.

    I think he was asking why there is no Roles property directly on IPrincpal,
    only an IsInRole method. That's the impression that I got. Any clue?

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > Well - it is available. just as SIDs.
    >
    > Since it requires network roundtrips to translate SIDs to the "names" - it
    > makes sense to me to explicitly request the information...
    >
    >
    >
    > ---
    > Dominick Baier, DevelopMentor
    > http://www.leastprivilege.com
    >
    >> It is an eternal mystery, although I'm sure there is a reason. Maybe
    >> D. knows? :)
    >>
    >> Joe K.
    >>

    >
    >
    Joe Kaplan, Oct 2, 2006
    #6
  7. Re: Awesome, thanks, I'll try it on Friday.

    because thats up to the implementation - that's at least the reason why it
    is not part of IPrincipal.

    You know that Windows auth is a little special - auth and authZ information
    is packaged as one opaque blob (the token).

    Well - there is a Groups property on WindowsIdentity (which makes sense if
    you think about a WindowsIdentity as the managed wrapper for tokens).

    But yeah - WindowsPrincipal could support this (maybe vnext :)

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > I think he was asking why there is no Roles property directly on
    > IPrincpal, only an IsInRole method. That's the impression that I got.
    > Any clue?
    >
    > Joe K.
    >
    Dominick Baier, Oct 2, 2006
    #7
  8. Joe Kaplan Guest

    Re: Awesome, thanks, I'll try it on Friday.

    I guess I too always thought it would be helpful if IPrincipal itself had
    directly had a Roles property that returned some sort of read only
    collection of strings. Presumably if it can handle the IsInRole question,
    it must know the roles, right? :)

    I guess I could see a few situations where enumerating the groups might be
    very expensive vs. just checking for membership, but in practice, I haven't
    really seen that to be the case.

    I'm sure there must be a reason why the BCL guys decided not to include
    this. It would be good to know why. Maybe it is in one of those giant Brad
    Abrams Addison-Wesley books....

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com> wrote in
    message news:...
    > because thats up to the implementation - that's at least the reason why it
    > is not part of IPrincipal.
    >
    > You know that Windows auth is a little special - auth and authZ
    > information is packaged as one opaque blob (the token).
    >
    > Well - there is a Groups property on WindowsIdentity (which makes sense if
    > you think about a WindowsIdentity as the managed wrapper for tokens).
    >
    > But yeah - WindowsPrincipal could support this (maybe vnext :)
    >
    > ---
    > Dominick Baier, DevelopMentor
    > http://www.leastprivilege.com
    >
    >> I think he was asking why there is no Roles property directly on
    >> IPrincpal, only an IsInRole method. That's the impression that I got.
    >> Any clue?
    >>
    >> Joe K.
    >>

    >
    >
    Joe Kaplan, Oct 2, 2006
    #8
  9. Re: Awesome, thanks, I'll try it on Friday

    well - i think there is a difference between having such functionality in
    a principal object and *enforcing* it - which would be the effect if they
    added the Roles property to the IPrincipal interface.

    RolePrincipal in ASP.NET e.g. has a GetRoles method.

    So yes WindowsPrincipal could do a better job - but i don't think it should
    be part of the interface.


    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > I guess I too always thought it would be helpful if IPrincipal itself
    > had directly had a Roles property that returned some sort of read only
    > collection of strings. Presumably if it can handle the IsInRole
    > question, it must know the roles, right? :)
    >
    > I guess I could see a few situations where enumerating the groups
    > might be very expensive vs. just checking for membership, but in
    > practice, I haven't really seen that to be the case.
    >
    > I'm sure there must be a reason why the BCL guys decided not to
    > include this. It would be good to know why. Maybe it is in one of
    > those giant Brad Abrams Addison-Wesley books....
    >
    > Joe K.
    >
    Dominick Baier, Oct 2, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin Burton

    WindowsPrincipal and WindowsIdentity.

    Kevin Burton, Jan 7, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    7,366
    bruce barker
    Jan 8, 2004
  2. Mark
    Replies:
    1
    Views:
    3,172
    qvo178
    Feb 23, 2010
  3. Peter Moberg

    Role empty in WindowsPrincipal

    Peter Moberg, Jul 25, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    136
    Peter Moberg
    Jul 25, 2003
  4. Mark

    CurrentPrincipal, WindowsPrincipal

    Mark, Jan 12, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    169
    zeldadog
    Jan 12, 2004
  5. naijacoder naijacoder

    WindowsPrincipal.IsInRole() problem with non-builtin roles

    naijacoder naijacoder, Aug 30, 2004, in forum: ASP .Net Security
    Replies:
    4
    Views:
    251
    Joe Kaplan \(MVP - ADSI\)
    Sep 2, 2004
Loading...

Share This Page