How to set a multilanguage PrincipalPermission role name?
https://stackoverflow.com/questions/820289
-
03-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm trying to secure a WCF service using windows accounts. The service should run on many systems with different languages. How can i set a PrincipalPermission that has language independent role names?
I found ugly workarounds like this one.
[PrincipalPermission(SecurityAction.Demand, Role = "Builtin\\Administrators")] // English
[PrincipalPermission(SecurityAction.Demand, Role = "Vordefiniert\\Administratoren")] // German
public string HelloWorld()
{
return "Hello";
}
I don't think this is a good solution, is there any way to make this language independent? Is there a way to use the account SID instead of a string?
Solution
One more try: Have a look at http://msdn.microsoft.com/en-us/library/system.security.principal.windowsbuiltinrole.aspx .... and go to the sample . There you can use the BuiltIn enumeration members to get the correctly spelled group name (via the API)... then it should be language neutral.
HTH, Thomas
OTHER TIPS
You could roll your own permission attribute which handles the translation:
[Serializable, AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = true, Inherited = false), ComVisible(true)]
public sealed class AdministratorPrincipalPermissionAttribute : CodeAccessSecurityAttribute
{
public AdministratorPrincipalPermissionAttribute(SecurityAction action) : base(action)
{ }
public override IPermission CreatePermission()
{
var identifier = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
var role = identifier.Translate(typeof(NTAccount)).Value;
return new PrincipalPermission(null, role);
}
}
Please note that this would require some extra deployment effort (gac, caspol etc.).
You may use the imperative version and dynamically convert a language neutral form (e.g. SID) to the localized form (may be through SecurityIdentifier.Translate).
Well known SIDs are listed in KB 243330.
Hmmmm, I would not use a group name directly in my code (hard coded). Try to abstract it to a role like "HelloWorldAdmin" and have a role configured in the app.config. This one should be mapped to a user group. This would allow your users / admins to select a group and map it to the role (e.g. in case that the application admins are not you AD admins). Have a look at http://msdn.microsoft.com/en-us/library/ms998314.aspx. HTH.
Are you absolutely sure that on a German-language system, the "BUILTIN\Administrators" will not work? I would have imagined even then, these basic group names should be valid. Yes, in your admin tools, it will show "Vordefiniert\ADministratoren" - but I would be surprised if the PrincipalPermission attribute would be language-dependant.
MArc
