 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / January 2006PrincipalPermission and UsernameTokenManager
Hi, I'm using WSE3.0, and I want to use declarative role-based security for the methods on a web service. This is done using the PrincipalPermission attribute, like: [PrincipalPermission(SecurityAction.Demand, Role="Admins")] I have also created a custom UsernameTokenManager to authenticate the user against Active Directory. In the AuthenticateToken method of my custom UsernameTokenManager I assign the Thread.CurrentPrincipal _and_ the token.Principal with a GenericPrincipal object holding the user name and roles. So far, so good. When running in the debugger, the user is authenticated and the principal is assigned. However, I always get an exception when the method tagged with the PrincipalPermission is about to be invoked. If I instead remove the attribute, and check the GenericPrincipal object inside the web method, it is empty. The principal isn't transferred from the UsernameTokenManager.AuthenticateToken() to the web method of a web service. How come? Can't declarative security be used like this per web method? If I remove the permission demand entirely, everything runs smoothly, of course. Any tips would be greatly appreciated. /Henrik Hi Henrik, The default implementation of the UsernameTokenManager doesn't set the Principal for the thread running the web method. You will have to do something like this: 1. Create a custom UsernameTokenManager 2. Override the AuthenticateToken method: protected override string AuthenticateToken( UsernameToken token ) { GenericIdentity identity = new GenericIdentity(token.Username); GenericPrincipal principal = new GenericPrincipal(identity, null); token.Principal = principal; System.Threading.Thread.CurrentPrincipal = principal; return token.Password; } If using a custom token manager is not an option for you, you will have to use the AuthorizationAssertion. Regards, Pablo Cibraro http://weblogs.asp.net/cibrax http://www.lagash.com > Hi, > [quoted text clipped - 24 lines] > > /Henrik Hi, If you read my post, you'd see that's exactly what I did. However, even though I'm setting the principal both on the thread and on the token, it seems to have vanished come web method invocation. Any ideas? Thanks, Henrik > Hi Henrik, > [quoted text clipped - 53 lines] > > > > /Henrik Yes, you are right. I didn't notice this before, it seems like ASP.NET is replacing the principal before calling to the web method. Regards, Pablo Cibraro. > Hi, > [quoted text clipped - 68 lines] >> > >> > /Henrik Does anyone have an idea as to why this happens? Is it by design, and if so, why, or is it a bug? /Henrik > Yes, you are right. > I didn't notice this before, it seems like ASP.NET is replacing the [quoted text clipped - 75 lines] > >> > > >> > /Henrik Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.