Protect a method on a class using declarative security and azman
https://stackoverflow.com/questions/8433874
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a wcf 4.0 service , I am running it locally in IIS express and am using azman to manage security. I am able to use the declarative syntax to secure the services, and prevent class instantiation in a class library. However when I decorate a method in the class it has no effect.
[PrincipalPermission(SecurityAction.Demand, Role = "AdminRole")] //THIS WORKS
public class MaintainUser
{
[PrincipalPermission(SecurityAction.Demand, Role = "CreateNewUserx")] //THIS DOES NOT WORK
public void CreateNewUser()
{
if (ViterraSecurity.VerifyAccess.HasOperation("CreateNewUserx", ViterraSecurity.VerifyAccess.BasisOperations.CreatUser))
{
return;
}
throw new AccessViolationException("CreateNewUser");
}
}
Is it possible to enable security checks on methods?
Solution
I'm guessing that CreateNewUserx is an operation or task in AzMan, not a role. AuthorizationStoreRoleProvider only recognizes AzMan roles, and PrincipalPermission only checks the roles exposed by an IPrincipal. However, this is a bit of a backwards way of using AzMan, since the main point of an operations-based authorization mechanism is to allow roles to be user-configurable and allow the application to only worry about operations.
I would recommend scrapping your demands for roles in favour of demanding only operation permissions. With such an approach, you would need to change either your permission (and attribute) or your principal implementation, or both to be aware of AzMan operations.
