Re: PrincipalPermission trouble

From: Viorel Ghilas (vghilas_at_hotmail.com)
Date: 06/20/05


Date: Mon, 20 Jun 2005 09:15:44 +0300

Hi

It's not a problem for hardocored roles, becaues I use constants. I decide
to move from declarative security to imperative, with my own CheckSecurity
method.

With best reagards
Viorel

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:489906632546762955809776@news.microsoft.com...
> Hello Viorel,
>
>
> LinkDemand does not make sense here.
>
> Use SecurityAction.Demand - this will look at Thread.CurrentPrincipal and
> call IsInRole("DBAdmin").
>
> Be aware that if you go for attributes, you have to hardcode the role
name.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi all,
> >
> > I have a library that have methods protected with PrincipalPermission,
> > for
> > ex.
> > [PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
> > public Guid GetAdminId() {
> > return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
> > }
> > and I have a web app that create an user with a role on login. The
> > problem is that after one user with "DBAdmin" role call GetAdminId
> > then after it every user with every role that are loged in system
> > could call this method. How can I resolve this problem. If I put
> > Demand otherwise LinkDemand it will work, but I dont use because of
> > performance reason. I suppose that .NET cached method calls with it's
> > securiy permissions? Sure I protect web pages with authorization
> > mecanism, but the library will be used with other person, and all
> > validation must be on business layer. One solution is to use my
> > customer imperative security mecanism. But I want to know what is
> > wrong?
> >
> > With best regards
> > Viorel
>
>
>