Re: PrincipalPermission trouble

From: Viorel Ghilas (vghilas_at_hotmail.com)
Date: 06/20/05


Date: Mon, 20 Jun 2005 09:15:44 +0300

Hi

It's not a problem for hardocored roles, becaues I use constants. I decide
to move from declarative security to imperative, with my own CheckSecurity
method.

With best reagards
Viorel

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:489906632546762955809776@news.microsoft.com...
> Hello Viorel,
>
>
> LinkDemand does not make sense here.
>
> Use SecurityAction.Demand - this will look at Thread.CurrentPrincipal and
> call IsInRole("DBAdmin").
>
> Be aware that if you go for attributes, you have to hardcode the role
name.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi all,
> >
> > I have a library that have methods protected with PrincipalPermission,
> > for
> > ex.
> > [PrincipalPermission(SecurityAction.LinkDemand, Role="DBAdmin")]
> > public Guid GetAdminId() {
> > return new Guid("{BCA26163-E488-4ce8-BF6B-597EB0BE388F}");
> > }
> > and I have a web app that create an user with a role on login. The
> > problem is that after one user with "DBAdmin" role call GetAdminId
> > then after it every user with every role that are loged in system
> > could call this method. How can I resolve this problem. If I put
> > Demand otherwise LinkDemand it will work, but I dont use because of
> > performance reason. I suppose that .NET cached method calls with it's
> > securiy permissions? Sure I protect web pages with authorization
> > mecanism, but the library will be used with other person, and all
> > validation must be on business layer. One solution is to use my
> > customer imperative security mecanism. But I want to know what is
> > wrong?
> >
> > With best regards
> > Viorel
>
>
>



Relevant Pages

  • Re: How To: write to EventLog from .NET 2.0 web app?
    ... Yes this a security issue for sure: ... System.Diagnostics.EventLog.WriteEntry(String source, String message) at ... account or use the <impersonation ... error in my web app before it displays the default page. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Newbie Alert - Dumb Question of the Day!
    ... You can have one web application and bunches and bunches of site collections ... authentication methods, allowing anonymous access (first at the web app, ... you can force security and user account policies at the web ... why I would need to create a new sharepoint web application? ...
    (microsoft.public.sharepoint.windowsservices)
  • IIS Security Problem
    ... security issue that perhaps someone could shed some light on. ... So far, I've been able to set up the web app to query AD objects (users, ... server run under the security context of the user ID the web application is ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: NetSec Breaking Apps Better Than AppSec
    ... and I don't see any value in arguing over which one is ... The archetypal "net" security guy who doesn't understand SOP or the ... consequences of -related mixed content when auditing a web app ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: Retrieving Users Groups from Active Directory using ASP.NET
    ... This is a security context problem that is very common in ASP.NET. ... The better approach is to look up group membership using tokenGroups. ... My web server and active directory servers are different machines. ... test by deploying the web app on the active directory machine it does ...
    (microsoft.public.dotnet.framework.aspnet.security)