Re: ASP.NET Identity to COM+...

From: Linus (linus_at_technologist.com)
Date: 10/05/04 

Date: 5 Oct 2004 12:17:43 -0700

Dominick,

     Thank you for your reply. Do you have any suggestions on this
particular design pattern? I'd think my scenario is pretty typical for
most of the ASP.NET applications interacting with COM+ server
applications with role-based security. I'd appreciate it if you could
help.

-Linus

"Dominick Baier" <dotnet@leastprivilege.com> wrote in message news:<uyL8PNumEHA.2864@tk2msftngp13.phx.gbl>...
> hi,
>
> i am afraid - this won't work.
>
> COM+ and .NET Role Based Security are not compatible.
>
> COM+ is tied to windows accounts - you are using custom roles
>
> COM+ does not expose the IPrincipal through Thread.CurrentPrincipal - it uses the COM+ security context which is exposed through SecurityCallContext.CurrentCall.DirectCaller (or similar).
>
> Impersonation in COM+ also does not work through WindowsIdentity.Impersonate - but only through DLLImporting CoImpersonateClient e.g.
>
> there is an article on msdn which may be interesting
>
> http://msdn.microsoft.com/msdnmag/issues/02/05/rolesec/
>
>
>
> ---
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> nntp://news.microsoft.com/microsoft.public.dotnet.security/<501d83a1.0409141331.64a8d576@posting.google.com>
>
> Hi,
>
> My database holds information about users, groups and roles and
> I've written a custom principal class (implements IPrincipal) to read
> this information from tables.
>
> When a user signs on to my ASP.NET web app, I first use the forms
> authentication to authenticate the user, then I construct the custom
> principal object with all associated roles populated, then I attach
> this principal object to the current thread (Thread.CurrentPrincipal =
> ...).
>
> Next, what I want to do is that when I call a COM+ component on a
> remote machine (an app server), I want to use the same set of roles to
> do the role-based security check. For example, if I have the role
> "Manager" in my custom principal object, I would like to see a call to
> the following method successful:
>
> [SecurityRole("Manager")]
> [AutoComplete]
> public DataSet GetList(int iOrderNumber)
> {
> // get data
> }
>
> Does anyone here know how to do this (I could only make this work
> when my COM+ package was set as a library application, but not server
> application.)?
>
> Thanks.
>
> -Linus
>
> [microsoft.public.dotnet.security]