Re: Roles and Permissions??
pwstevens_at_hotmail.com
Date: 02/24/05
- Next message: Craig: "RE: Looking for security training"
- Previous message: Phil C.: "Re: ??Difference Between utf8encoder.GetBytes and Encoding.ASCII.GetBytes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 Feb 2005 14:01:59 -0800
Jose, hopefully you are still around at this address and can help us
out. We are doing what sounds to be exactly what you were trying to
do; and we are experiencing the filenotfound exception when trying to
use our custom permission. It appears you fixed that problem, and I'm
hoping you can tell me what you did? Also, did you ever figure out
your other problem and actually get the custom permission to work
declaratively?
Thank you so much for any help you or anyone else can provide!
Phil
Jose Lema wrote:
> Doug,
>
> I've had the same problem and found little help.
> Essentially, I've extended what GenericPrincipal.IsInRole
> and PrincipalPermission were designed to do. Unfortunately
> there is NO documentation when it comes to creating new
> Role-Based Permissions, just CodeAccessPermissions.
>
> What I've been able to do is define my own IIdentity class
> and IPrincipal class. Then I've added a custom method to
> my CustomPrincipal - something like, CheckPermission().
> Then I created a new class that implements both
> IPermission and ISecurityEncodable in order to work like
> PrincipalPermission. The only stumbling block I've had is
> to create the custom attribute. It looks like I need to
> inherit from CodeAccessPermissionAttribute (at least
> that's what PrincipalPermissionAttribute does). This is
> where I'm confused. If PrincipalPermission did not inherit
> from CodeAccessPermission, why should
> PrincipalPermissionAttribute inherit from
> CodeAccessPermissionAttribute? When I try to inherit my
> custom permission attribute from
> CodeAccessPermissionAttribute, I get some compilation
> errors (error emitting attribute: file not found...)
>
> Regardless I CAN instantiate my custom permission and
> demand it (imperatively) and it works.
>
> <sample>
> public void Page_Load(object sender, EventArgs e)
> {
> ...
>
> // See if user can access the functionality "do this"
> try
> {
> CustomPermission p = new CustomPermission("DoThis");
> p.Demand();
> ...
> DoThis();
> }
> catch (CustomSecurityException ex)
> {
> // do whatever you want, or just swallow exception
> }
> }
> </sample>
>
> If I can find a way to get the attribute thing going, then
> my front-end code won't need the check explicitly, because
> the DoThis() method will be declared as follows:
>
> <sample>
> [CustomPermission(SecurityAction.Demand, "DoThis")]
> private void DoThis()
> {
> ...
> }
> </sample>
>
> Sorry if this rambles or is too long. It's been a long
> week...already. :)
>
> JL
>
> >-----Original Message-----
> >Sorry but I must rant.... ASP.NET security sucks when
> compared to JAVA
> >security.
> >Now my problem....
> >I am setting up security for an ASP.NET web application
> and I need to use
> >forms authentication. I've set up my database, setup my
> login page, setup my
> >authentication ticket crap....... just to discover that
> the only way I can
> >limit user access to portions of my application is
> through Roles. Roles are
> >awesome but the problem is that it appears that Roles are
> as granular as I
> >can get in ASP.NET. i.e. to allow certain users to
> access a resource (say a
> >menu item) and to deny access to that resource to other
> users I would use
> >code like the following:
> >
> >........
> >if ( HTTPContext.Current.User.IsInRole( "Admin" ) )
> >{ MenuCtrl.MenuItem("Admin").Hidden = False;
> >}
> >else
> > if ( HTTPContext.Current.User.IsInRole( "User" ) )
> > { MenuCtrl.MenuItem("Admin").Hidden = True;
> > }
> >........
> >
> >The problem is that if I create another Role then I have
> to update the code
> >to deal with the new Role. It would be nice if I could
> use a custom
> >CodeAccessPermission to see if the user has permission to
> access the menu
> >item.
> >
> >To use a CodeAccessPermission I should be able to define
> an XML security
> >policy file that lists all of the permissions for a Role,
> or dynamically
> >generate an XML string from a database containing the
> permissions, then
> >execute code, for the user, within the context of this
> security policy. This
> >would result in the Roles being administrable and once
> the permission check
> >is in the code, the code will not have to be modified,
> only the permissions
> >for the roles would be modified. I have looked for ways
> to do something like
> >this and have had no success. I looked at impersonation
> but that seems to
> >only work with Windows authentication.
> >
> >I would really like to know if there is some way that I
> can execute code
> >blocks using a different security context than the
> default, without
> >resorting to Windows authentication. If I am looking at
> this problem from
> >the wrong perspective, could someone let me in on the
> secret. If any of you
> >can
> >refer me to an article or a book that addresses this
> situation I would
> >really appreciate it.
> >
> >Thanks
> >Doug Schott
> >
> >
> >
> >.
> >
- Next message: Craig: "RE: Looking for security training"
- Previous message: Phil C.: "Re: ??Difference Between utf8encoder.GetBytes and Encoding.ASCII.GetBytes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
