Custom IPrincipal and declarative security checking

From: Baileys (Baileys_at_discussions.microsoft.com)
Date: 03/15/05


Date: Tue, 15 Mar 2005 05:29:03 -0800

Hi,

I'm having trouble getting declarative checks (using
PrinciplePermissionAttribute) to work with my custom IPrincipal
implementation in a web scenario.

I created a custom principal class (MyPrincipal), implementing the
IPrincipal interface
I added code to the global.asax Application_AuthenticateRequest handler to
construct an instance of MyPrincipal, and assign this instance to
Context.User (also tried assigning the instance to both Context.User and
Thread.CurrentPrincipal).
I've got a class (MyClass) defined as follows:

public class MyClass
{
  [PrincipalPermission(SecurityAction.Demand, Role="Admin")]
  public static void MyMethod()
  {
    // do stuff
  }
}

I have got a web page containing the following code in Page_Load:

bool test = Thread.CurrentPrincipal.IsInRole("Admin"); // 1. works (test=true)
bool test2 = Context.User.IsInRole("Admin"); // 2. works
(test2=true)

PrincipalPermission p = new PrincipalPermission(null, "Admin");
p.Demand(); // 3
.Fails

MyClass.MyMethod() // 4. Fails

The last 2 methods (using PrincipalPermission.Demand and calling the
MyMethod) fail with a security exception ( Exception Details:
System.Security.SecurityException: Request for principal permission failed.).

I was under the impression that PrincipalPermissionAttribute class would
work with every implementation of IPrinciple, and not just with the
WindowsPrincipal & GenericPrincipal, is that correct?

Am i missing something obvious here? Would especially be grateful for links
to docs exploring .NET security with custom implementations of different
security related classes...

Thanks in advance, all help welcome...

Baileys.