Re: Per-method role management

From: Jon Skeet [C# MVP] (skeet_at_pobox.com)
Date: 10/15/04 

Date: Fri, 15 Oct 2004 10:32:52 +0100

Sami Vaaraniemi <samivanospam@pleasejippii.fi> wrote:
> "Jon Skeet [C# MVP]" <skeet@pobox.com> wrote in message
> news:MPG.1bd986ce29ef54798b6e5@msnews.microsoft.com...
> > <Drew Robbins <"drew at drewby.com">> wrote:
> > > When making a web request over http, the status code 500 is the response
> > > for most exceptions.
> >
> > Yes - it shouldn't be for this condition though :(
>
> To return HTTP code 403 you might have to fail it already in the HttpModule
> where you do the digest authentication (I'm not sure if you can hack the web
> method somehow to get it to return HTTP 403 (see (*)). Handling it in the
> HttpModule *and* also allow declarative permissions in the web methods, you
> would have to reflect the web method, see if it has the PrincipalPermission
> attribute, then check if the user belongs to the role and then possibly
> fail. This is a fair amount of work and you'd be writing similar plumbing
> that WSE gives you pretty much out of the box...

Yes - unfortunately WSE isn't in the picture at the moment.

I'm getting somewhere setting the HTTP code in the web service, but
still investigating at the moment. Unfortunately, it's fairly hard to
look at what's coming down the wire when I'm testing with a Pocket PC
connected with USB.

If I could very easily and robustly work out what web method was going
to be called (beyond just parsing the URL - doable but slightly flaky,
I suspect) I would put the authorization rules in an XML form
somewhere, akin to how servlets work. Unfortunately I can't see any way
of finding out what method is going to be called programatically before
it *is* called. I may well have missed something though...
 
> A bigger question is is it ok to couple the authentication logic with
> transport? This depends largely on your requirements, but in general, HTTP
> digest authentication for web services is a dead-end as are all
> transport-based authentication schemes. They won't do if you want to
> authenticate over other transports, over multiple hops, or have support for
> WS-Security. Again, WSE would be the real answer here.

For other situations, you're absolutely right. In this case, a
transport authentication mechanism is fine, although I'd prefer not to
couple the *authorization* mechanism in there.

We're abusing web services in a few ways to make the bandwidth more
reasonable, as this is going over GPRS. Some calls have to be made with
HTTP POST rather than SOAP for that reason.

> (*) I made a quick experiment with the following code in the web method:
>
> Context.Response.Clear();
> Context.Response.StatusCode = 403;
> Context.Response.StatusDescription = "Access Denied";
> Context.Response.Write("<h2>Access Denied</h2>");
> Context.Response.End();
>
> but it just ends up returning error code 500 anyway with a
> ThreadAbortException. Most likely the Web Service infrastructure in ASP.NET
> does not like you trying to change the HTTP response from within the web
> method.

I think it doesn't mind that - it's the call to End() which causes
problems, by throwing an exception. I'm not sure where it sets the code
to 200 though - if it does that after the web method has executed, I
could have problems. Ah well - I'll keep experimenting. 

-- 
Jon Skeet - <skeet@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too

Relevant Pages

  • Re: How do I authenticate a UNIX account in IIS 6?
    ... The ASP page requires some kind of HTTP based authentication, ... the script you have on your Unix box uses some kind of HTTP GET ... :> a) Do you want to give the Unix account permissions to the folder? ...
    (microsoft.public.inetserver.iis.security)
  • Re: HELP! SMTP for IMAP stopped working
    ... in for the initial setup to get the RPC over HTTPS ... computer using RPC over HTTP. ... If the authentication was unsuccessful wouldn't I get an error? ... outside of the company I get "unable to relay for joe@xxxxxxx" I ...
    (microsoft.public.exchange.setup)
  • RE: Certificate names and RPC over HTTP for Exchange 2003
    ... I can't remember why I went back to HTTP based before, ... names were getting crossed in the RPC call on my ISA server. ... Every ISA ... set authentication to Basic ...
    (microsoft.public.isa.configuration)
  • RE: Certificate names and RPC over HTTP for Exchange 2003
    ... Just as a note for competeness, I have remembered why I use HTTP rather than ... form authentication; forms based does not work as easily on Outlook Mobile ... RPC_OUT_DATA when RPC/HTTP is working properly. ...
    (microsoft.public.isa.configuration)
  • RE: RPC over HTTPS and basic vs NTLM authentication
    ... I enabled ONLY basic authentication on the RPC ... Outlook will identify if it is running on a fast or slow ... Clear - 'On fast networks, connect using HTTP first, then connect using ...
    (microsoft.public.exchange.connectivity)