Re: Design Question
From: Nicole Calinoiu (calinoiu)
Date: 12/23/04
- Next message: Paul: "Re: Getting the current value from a field"
- Previous message: Nicole Calinoiu: "Re: Design Question"
- In reply to: John Lee: "Re: Design Question"
- Next in thread: Nicole Calinoiu: "Re: Design Question"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 23 Dec 2004 09:22:32 -0500
John,
Your biggest problem with this is likely to be determining the name of the
method. Unfortunately, the permissions attributes have no built-in
mechanism for directly retrieving a reference to the attribute target.
While it might be possible to retrieve such a reference using a combination
of stack walking and reflection at runtime, this would have potentially
undesirable performance consequences. To avoid these, you would need to
either hard-code the operation name (or some mapping value) into the
attribute definition (regardless of you're implementing with a custom
permission or a principal permission with custom principal) or use a tool
like XC# that will do the heavy lifting at compile time rather than at
runtime. Personally, I wouldn't opt for the hard-coding approach since
security holes could be opened by simply missing an edit during code
maintenance, but YMMV...
HTH,
Nicole
"John Lee" <johnl@newsgroup.nospam> wrote in message
news:uc3SvTH6EHA.260@TK2MSFTNGP10.phx.gbl...
> Thanks very much for the reply.
>
> But all role-based security information resides in AzMan store. All web
> services are configured as Windows authentication in IIS. So I will have
> to first get the Windows principal and then call AzRoles.dll's
> AccessCheck("method name") - each method name will be defined as an
> "operation" in AzMan store.
>
> Regards,
> John
>
> "Nicholas Paldino [.NET/C# MVP]" <mvp@spam.guard.caspershouse.com> wrote
> in message news:Or%230XtG6EHA.4004@tk2msftngp13.phx.gbl...
>> Or (and I think this is the easiest one of all), just use a custom
>> principal, and let Code Access Security take care of the rest.
>> Basically, you implement IPrincipal, and set it as the principal for the
>> thread that is doing the processing.
>>
>> Attached is a console application which demonstrates how to use the
>> PrincipalPermission attribute. Basically, there is an implementation of
>> IPrincipal and the current thread is set to use that principal (you will
>> have to do something different to have web requests use a certain
>> principal, but Im sure you can do it). Then, you just apply the right
>> attribute to your method, and the runtime will take care of the rest.
>>
>> Try changing the IsInRole implementation to return something else, or
>> the declaration of the PrincipalPermission attribute and the call to
>> DoSomething will fail.
>>
>> Hope this helps.
>>
>>
>> --
>> - Nicholas Paldino [.NET/C# MVP]
>> - mvp@spam.guard.caspershouse.com
>>
>>
>> "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
>> news:O5xBXYG6EHA.1260@TK2MSFTNGP12.phx.gbl...
>>> Yes, but it's probably not as simple as you might have hoped. Here are
>>> the
>>> three main approaches:
>>>
>>> 1. Implement the check as a custom permission with a corresponding
>>> attribute
>>> (http://msdn.microsoft.com/library/en-us/cpguide/html/cpconcreatingyourowncodeaccesspermissions.asp).
>>> This may be your best bet since you can presumably control whether the
>>> attribute assembly is registered as a trusted assembly.
>>>
>>> 2. Place the actual method work in objects that inherit from
>>> System.ContextBoundObject. This might interfere with your planned
>>> object
>>> hierarchy, as well as introducing an otherwise unnecessary performance
>>> hit.
>>>
>>> 3. Use a tool like XC# (http://www.resolvecorp.com/Products.aspx) to
>>> generate inline code that corresponds to your custom attribute.
>>>
>>> If this truly is a security permission, #1 is probably the "cleanest"
>>> approach. Otherwise, #3 would probably offer the best compromise
>>> between
>>> design-time convenience and runtime performance.
>>>
>>> HTH,
>>> Nicole
>>>
>>>
>>>
>>> "John Lee" <johnl@newsgroup.nospam> wrote in message
>>> news:ejm4%237F6EHA.2180@TK2MSFTNGP10.phx.gbl...
>>>> Hi,
>>>>
>>>> If I want to check permission on each public method of a web service,
>>>> (assume the checking routine is ready to use and called AccessCheck) ,
>>>> one
>>>> way of doing it is to call this AccessCheck on top of each public
>>>> method,
>>>> I want to implement it in different way but seems missing something -
>>>>
>>>> I want to develop a custom attribute, let's say
>>>> SecurityCheckEnabledAttribute with only Yes/No parameter, then create a
>>>> base class for all web service classes, Is there any way to capture the
>>>> public method call from base class at runtime and then check if the
>>>> attribute is being applied and then check the permission?
>>>>
>>>> Thanks a lot!
>>>>
>>>> Regards,
>>>> John
>>>>
>>>
>>>
>>
>>
>>
>
>
- Next message: Paul: "Re: Getting the current value from a field"
- Previous message: Nicole Calinoiu: "Re: Design Question"
- In reply to: John Lee: "Re: Design Question"
- Next in thread: Nicole Calinoiu: "Re: Design Question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
