Re: Per-method role management

From: Jon Skeet [C# MVP] (skeet_at_pobox.com)
Date: 10/15/04

• Next message: Jason MacKenzie: "Web Service Security"
• Previous message: Jon Skeet [C# MVP]: "Re: Per-method role management"
• In reply to: Jon Skeet [C# MVP]: "Re: Per-method role management"
• Messages sorted by: [ date ] [ thread ]

---

Date: Fri, 15 Oct 2004 11:00:24 +0100

Jon Skeet [C# MVP] <skeet@pobox.com> wrote:
> Ah well - I'll keep experimenting.

Current solution seems to work. Each web method has something like:

if (!CheckRole (...)) return;
or
if (!CheckRole (...)) return null;

CheckRole looks like this:

bool CheckRole(string role)
{
    if (!Context.User.Identity.IsAuthenticated)
    {
        Context.Response.StatusCode = 401;
        Context.Response.StatusDescription = "Access Denied";
// Context.Response.SuppressContent = true;
        return false;
    }
    if (!Context.User.IsInRole(role))
    {
        Context.Response.StatusCode = 403;
        Context.Response.StatusDescription = "Forbidden";
// Context.Response.SuppressContent = true;
        return false;
    }
    return true;
}

For some reason, suppressing the content makes the server hang - no
idea why yet. That's a slight pity, but not significantly problematic.

That all seems to work, and has the benefit of allowing anonymous
access for the service description. If anyone knows any way of
improving the above, or why it's awful and should be avoided like the
plague, do let me know :)

-- 
Jon Skeet - <skeet@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too

---

• Next message: Jason MacKenzie: "Web Service Security"
• Previous message: Jon Skeet [C# MVP]: "Re: Per-method role management"
• In reply to: Jon Skeet [C# MVP]: "Re: Per-method role management"
• Messages sorted by: [ date ] [ thread ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)