 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / March 2006Customer Role Provider and Policies
I am trying to add role-based authorization to my web services. I have a Custom Role Provider, which should be used to validate if a user is able to use a particular web method. I have the following policy <policy name="MySecurityPolicy"> <authorization roleProviderName="CustomRoleProvider" /> <usernameOverTransportSecurity/> <requireActionHeader /> </policy> my web service looks like this: [WebService] [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)] [Policy("MySecurityPolicy")] public class Management : System.Web.Services.WebService { [WebMethod] public string HelloWorld() { return "Hello World"; } } However, I don't know this line comes into play: <authorization roleProviderName="CustomRoleProvider" /> At what point does my policy request/ invoke the CustomRoleProvider, and is there any way for me to declare allowed roles at the web method level, and have the CustomRoleProvider validate these role declarations? In the WSE 3 help, I could only find the following information on 'roleProviderName': "The SOAP message sender is authorized based on the security token's Principal property. When the security token does not have a Principal property, such as the X509SecurityToken, the Identity property is used to authorize the sender. The Identity property is set by the role provider specified in the roleProviderName attribute" This confuses me. How can the role provider set the identity property? The following are the public methods for RoleProvider: AddUsersToRoles CreateRole DeleteRole FindUsersInRole GetAllRoles GetRolesForUser GetUsersInRole Initialize Initializes the provider. (Inherited from ProviderBase.) IsUserInRole RemoveUsersFromRoles RoleExists In the end, I need to be able to configure roles on each web method. If the PolicyAttribute could be placed at the web method level, rather than the class level, that would be a big help. However, this is not currently possible. This is why I am trying to explore what I can accomplish by using a custom role provider in my policies, with the roleProviderName attribute in the authorization node. Hi, The "Web service security guide" from the Pattern & Practices team provides good samples that shows how to do that. http://www.gotdotnet.com/codegallery/codegallery.aspx?id=67f659f6-9457-4860-80ff -0535dffed5e6 I recommend you to take a look there first. Regards, Pablo Cibraro http://weblogs.asp.net/cibrax >I am trying to add role-based authorization to my web services. I have a > Custom Role Provider, which should be used to validate if a user is able [quoted text clipped - 27 lines] > there any way for me to declare allowed roles at the web method level, and > have the CustomRoleProvider validate these role declarations? Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.