Request for principal permission failed

From: Benjamin Gavin ("ben)
Date: 10/06/04 

Date: Wed, 06 Oct 2004 09:56:26 -0500

Hi all,
   I am running into a rather bizarre problem with one of my web
applications. I'm in the process of applying the
PrincipalPermissionAttribute to a number of pages [at the class level]
and I've stumbled into a roadblock.

Problem Setup:
Forms Authentication
Windows XP sp1 + .NET 1.1 SP1

Problem Description:
When I access a page that I control via the
PrincipalPermissionAttribute, I get a very specific set of errors, and
the error always occurs at the same location. The principal permission
attribute is declared as:

<PrincipalPermissionAttribute(SecurityAction.Demand,
Role:=SecurityRoles.Authorized)> _
Public Class Foo
   Inherits App_Base ' which inherits from System.Web.UI.Page

What happens is that the code begins to execute normally. It calls an
private function which handles data binding and sets up a property on a
custom paging control. This same control has already been accessed in
the Page_Load event, but in this particular function the call suddenly
fails with a SecurityException [which is then caught and a call to a
generic error display routine is tried which also fails with a
SecurityException].

If I switch the declaration above to:
<PrincipalPermission(SecurityAction.Demand, Authenticated:=True)>

Everything works fine. If I switch it back to the original code and add
the following into the Page_Load() event:

Dim perm As New PrincipalPermission(Nothing, SecurityRoles.Authorized)
perm.Demand()

Again, the perm.Demand() succeeds, but the call further down the page
[with the Page_Load event which did the original demand being in the
call-stack] fails with the doubled security exception again.

What is going on here? The same code I am using here was used without a
problem on previous projects and I never ran into this issue. The
imperative security that I put in Page_Load() succeeds, yet the
declarative security causes a failure...

Additionally, if the declarative security were to fail at any point, I
am a little concerned that logic from the Page_Load event is getting
fired when clearly there is something wrong with the
permission/principal object which is causing the error... It would seem
to me that it should be an "all or nothing" thing, not a "we'll go for a
while, and at some point I'll let you know that you don't actually have
permission to do what it is you are doing..."

Thanks!
Ben

Relevant Pages

  • Linux 2.4 usage statistics
    ... feature freeze anyway), but it helps me know your usage better, to try ... mission-critical (you may loose your job if it fails too often)? ... security-critical? ... drivers not existing anymore in 2.6? ...
    (Linux-Kernel)
  • Re: iis user failure when using windows
    ... Authorization but it still fails with Integrated Windows ... In the Security log it says the logon/logoff of user ...
    (microsoft.public.inetserver.iis.security)
  • Re: A first--- stolen pins from tow bar
    ... Any system that fails and leaves me stranded in a dead ... >vehicle isn't contributing to my security. ... towed to a Chrysler dealer. ...
    (rec.outdoors.rv-travel)
  • Re: Check if user is authenticated
    ... PrincipalPermissionAttribute cannot be applied at the ... The security information declared by a security attribute is stored in the ... Important Prior to a demand for principal permission it is necessary to ... I am using Asp.Net 2.0 and forms authentication. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Session
    ... PrincipalPermissionAttribute can be used to declaratively demand that users ... The scope of the declaration that is allowed depends on the SecurityAction ... The security information declared by a security attribute is stored in the ...
    (microsoft.public.dotnet.framework.aspnet)