 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / Languages / C# / May 2008WindowsPrincipal.IsInRole actually check roles and NOT groups?
Hi, I currently have my application setup and built using Windows Authentication (WindowsPrincipal). For security checks, I simply do an IsInRole call on the Principal. The role permissions are hard- coded, something like this: private static string[] allowedReadRoles = new string[] { "Sales", "Ordering" }; I now need to brand my application, and while the roles will remain the same, the problem is that IsInRole is functioning via group membership. The branding will be for other companies, which are owned by the same owners, and use the same office buildings, network / domain and computers are the main company (the other companies have less than 10 people). So, adding the users for Company B to existing groups isn't really an option... they'd have access to the application for Company A. In the database that would work, since I add logons for new groups and map them to existing database roles. For my code though, I don't see a way to do this. I could provide a similar mapping, but that would require me to update multiple databases to do the mappings each time I add a new role to the application. Any other ideas? Has anyone used Authentication Manager, which allows you to define real roles, not AD Groups? Is there anything that puts actual roles in WindowsPrincipal.IsInRole, not just windows groups? It seems an odd thing; AD groups aren't roles, yet WindowsPrincipal treats them as such. Thanks Andy Well, if it helps, even with windows identity you can provide your own roles definitions. If you can look them up from somewhere, GenericPrincipal may be of use - alternatively create your own IPrincipal that performs IsInRole... (perhaps prepending an NT name onto the role per instance?) But essentially you are going to have to store the data somewhere... Some ideas... Mac using System; using System.Security; using System.Security.Permissions; using System.Security.Principal; using System.Threading; static class Program { static void Main() { string[] userRoles = { "Sales" }; Thread.CurrentPrincipal = new GenericPrincipal(WindowsIdentity.GetCurrent(), userRoles); TestSales(); try { TestAdmin(); } catch (SecurityException) { Console.WriteLine("Admin failed ;-p"); } } [PrincipalPermission(SecurityAction.Demand, Role="Sales")] static void TestSales() { Console.WriteLine("Sales"); } [PrincipalPermission(SecurityAction.Demand, Role = "Admin")] static void TestAdmin() { Console.WriteLine("Admin"); } } // another idea for separating the data... class SuffixPrincipal : IPrincipal { private readonly IPrincipal parent; private readonly string roleSuffix; public SuffixPrincipal(IPrincipal parent, string roleSuffix) { if (parent == null) throw new ArgumentNullException("parent"); this.parent = parent; this.roleSuffix = roleSuffix; } public IIdentity Identity { get { return parent.Identity; } } public bool IsInRole(string role) { return parent.IsInRole(role + roleSuffix); } } Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.