Re: Per-method role management
From: Sami Vaaraniemi (samivanospam_at_pleasejippii.fi)
Date: 10/15/04
- Next message: Jon Skeet [C# MVP]: "Re: Per-method role management"
- Previous message: Jon Skeet [C# MVP]: "Re: Per-method role management"
- In reply to: Jon Skeet [C# MVP]: "Re: Per-method role management"
- Next in thread: Jon Skeet [C# MVP]: "Re: Per-method role management"
- Reply: Jon Skeet [C# MVP]: "Re: Per-method role management"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 15 Oct 2004 12:23:28 +0300
"Jon Skeet [C# MVP]" <skeet@pobox.com> wrote in message
news:MPG.1bd986ce29ef54798b6e5@msnews.microsoft.com...
> <Drew Robbins <"drew at drewby.com">> wrote:
> > When making a web request over http, the status code 500 is the response
> > for most exceptions.
>
> Yes - it shouldn't be for this condition though :(
To return HTTP code 403 you might have to fail it already in the HttpModule
where you do the digest authentication (I'm not sure if you can hack the web
method somehow to get it to return HTTP 403 (see (*)). Handling it in the
HttpModule *and* also allow declarative permissions in the web methods, you
would have to reflect the web method, see if it has the PrincipalPermission
attribute, then check if the user belongs to the role and then possibly
fail. This is a fair amount of work and you'd be writing similar plumbing
that WSE gives you pretty much out of the box...
A bigger question is is it ok to couple the authentication logic with
transport? This depends largely on your requirements, but in general, HTTP
digest authentication for web services is a dead-end as are all
transport-based authentication schemes. They won't do if you want to
authenticate over other transports, over multiple hops, or have support for
WS-Security. Again, WSE would be the real answer here.
(*) I made a quick experiment with the following code in the web method:
Context.Response.Clear();
Context.Response.StatusCode = 403;
Context.Response.StatusDescription = "Access Denied";
Context.Response.Write("<h2>Access Denied</h2>");
Context.Response.End();
but it just ends up returning error code 500 anyway with a
ThreadAbortException. Most likely the Web Service infrastructure in ASP.NET
does not like you trying to change the HTTP response from within the web
method.
>
> > You may want to look at the Policy mechanism in WSE 2.0 to enforce
> > role-based authorization.
> >
> > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnws
> > e/html/wse2wspolicy.asp
>
> Right. I've been trying to avoid all of that stuff for the moment
> (partly because I'm using the Compact Framework to talk to the
> webservice, so I want to keep things simple).
>
> I think I'll just work out some way of returning normally from the
> method having set the response code, and suppress the content of the
> response.
As it sometimes happens, trying to keep it simple may end up making things
unnecessarily complicated :)
Regards and YMMV,
Sami
- Next message: Jon Skeet [C# MVP]: "Re: Per-method role management"
- Previous message: Jon Skeet [C# MVP]: "Re: Per-method role management"
- In reply to: Jon Skeet [C# MVP]: "Re: Per-method role management"
- Next in thread: Jon Skeet [C# MVP]: "Re: Per-method role management"
- Reply: Jon Skeet [C# MVP]: "Re: Per-method role management"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
