RE: Send custom IPrincipal object from client to WCF service - Possibl



Keep in mind that you shouldn't base any security decisions on information originating from the client - the client is basically untrusted. Can't you re-create the information you need based on the authenticated principal?


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hello James,

Thanks for your response.

What we ended up doing is kinda like that. We custom serialize our
IPrincipal object, stuff it in the message header, then extract and
recreate our object at the server within the Evaulate method.

We found now way to directly send a custom IPrincipal object created
at the client, directly thru the server. Every sample we saw built
the object at the server with only say a 'windows' account or
user/pass pair passed in.

Doing it the way we did, we were able to keep all of the information
we had stuffed in the custom object when we created it on the client
end.

Thanks again.

"aiKeith" wrote:

We are trying to do something that doesnt appear to be possible.

Simply this:

We create a IPrincipal object on the client based on a custom class
that holds info we need for auditing (ip, workstation_name, etc)

What we want to do is somehow pass this IPrincipal object to WCF when
we access it. This is necessary so we can get the auditing info,
etc...

Why is it that it only appears you can create the Principal object at
the server based on a Windows Account or ClientCredeintials --
neither of which will work for us because even if we persisted the
IPrincipal object in a db, we couldnt be sure of reconstructing the
same object at the server - that is if the same user account was
logged into 2 different machines.

Any help would be extremely appreciated.



.



Relevant Pages

  • Re: Send custom IPrincipal object from client to WCF service - Possibl
    ... We create a IPrincipal object on the client based on a custom class that holds info we need for auditing ... What we want to do is somehow pass this IPrincipal object to WCF when we access it. ... This is necessary so we can get the auditing info, ... When you send a message it gets wrapped in various layers of gue depending on the endpoint that you have configured and I think there's a way to create your own custom layers that the message gets wrapped in when sending/receiving it to/from the client/server. ...
    (microsoft.public.dotnet.security)
  • Send custom IPrincipal object from client to WCF service - Possibl
    ... We create a IPrincipal object on the client based on a custom class that ... What we want to do is somehow pass this IPrincipal object to WCF when we ... server based on a Windows Account or ClientCredeintials -- neither of which ... we couldnt be sure of reconstructing the same object at the server - that is ...
    (microsoft.public.dotnet.security)
  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)
  • Re: More Get-IPlayer Questions
    ... to use with mutt mail client. ... antinat - 0.90-4 - Antinat is a flexible SOCKS server and client ... protocol for Sybase or MS SQL Server. ... ifstat - 1.1-1 - InterFace STATistics Monitoring ...
    (uk.comp.os.linux)
  • This is going straight to the pool room
    ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
    (comp.os.vms)