IPrincipal hack?
From: Bat'on (bat_at_qazeta.pl)
Date: 06/26/03
- Previous message: Michael Pucher: "Re: Code Group Security policy deployment"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: IPrincipal hack?"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: IPrincipal hack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 Jun 2003 00:27:14 -0700
Hallo,
We have an assembly (library) secured with declarative
principal attributes, together with custom IPrincipal
implmentation, and custom (SQL based) log in method.
Now, I wonder if there is any way to prevent this
scenario: any (hacked?) client (app, xml web service or
aspx page) creates GenericPrincipal with "admin" role
(or just IsInRole implementation returning always true)
and sets Thread.CurrentPrincipal to his implementation -
and passess all principal based security demands.
So anyone that has acces to my library can cretae
application bypasssing the need to log in?
Is it possible to find out what roles are demanded
on particular portion of code? AFAIR reflection
does not allow to acces security attributes, but what
about just reading the contet of assembly?
Sebastian
- Previous message: Michael Pucher: "Re: Code Group Security policy deployment"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: IPrincipal hack?"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: IPrincipal hack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
