AllowWrite et al.

AllowWrite et al.

Old forum URL: forums.lhotka.net/forums/t/4931.aspx


ajj3085 posted on Tuesday, June 03, 2008

Hi,

I know this has been discussed before, but I'm not sure what the current state is.

I don't want Csla, when checking privledges, to just to a .IsInRole on the principal.  I'd like to specify my own function to call, because I have my own mapping of Windows AD Groups to application roles that I need to perform.

Is there anything in Csla right now that allows me to do this, or am I on my own?

Thanks
Andy

sergeyb replied on Tuesday, June 03, 2008

Just a thought, but could you override SomePrincipal.IsInRole itself?  …assuming you are using CSLA principal…

 

 

Sergey Barskiy

Senior Consultant

office: 678.405.0687 | mobile: 404.388.1899

cid:_2_0648EA840648E85C001BBCB886257279
Microsoft Worldwide Partner of the Year | Custom Development Solutions, Technical Innovation

 

From: ajj3085 [mailto:cslanet@lhotka.net]
Sent: Tuesday, June 03, 2008 4:43 PM
To: Sergey Barskiy
Subject: [CSLA .NET] AllowWrite et al.

 

Hi,

I know this has been discussed before, but I'm not sure what the current state is.

I don't want Csla, when checking privledges, to just to a .IsInRole on the principal.  I'd like to specify my own function to call, because I have my own mapping of Windows AD Groups to application roles that I need to perform.

Is there anything in Csla right now that allows me to do this, or am I on my own?

Thanks
Andy


ajj3085 replied on Tuesday, June 03, 2008

I am using WindowsPrincipal.. was hoping to avoid building a CslaPrincipal, buf it that's the best way to go right now..

Andy

sergeyb replied on Tuesday, June 03, 2008

Another thought is to have a class that will translate AD groups to custom roles, as in

 

AuthorizationRules.AllowRead("SomePropName", MyTranslatorClass.GetADRolesList(new string(){“CustomRole1”,”CustomRole2”}))

 

Sergey Barskiy

Senior Consultant

office: 678.405.0687 | mobile: 404.388.1899

cid:_2_0648EA840648E85C001BBCB886257279
Microsoft Worldwide Partner of the Year | Custom Development Solutions, Technical Innovation

 

From: ajj3085 [mailto:cslanet@lhotka.net]
Sent: Tuesday, June 03, 2008 4:57 PM
To: Sergey Barskiy
Subject: Re: [CSLA .NET] RE: AllowWrite et al.

 

I am using WindowsPrincipal.. was hoping to avoid building a CslaPrincipal, buf it that's the best way to go right now..

Andy


ajj3085 replied on Wednesday, June 04, 2008

I think I'll go with the first idea, to use Csla authentication as that will require the least amount of code changes.

ajj3085 replied on Wednesday, June 04, 2008

Here's my principal class:
    [Serializable]
    public sealed class MyPrincipal : BusinessPrincipalBase {
        #region Fields

        private WindowsPrincipal principal;

        #endregion

        #region BusinessPrincipalBase overrides

        /// <summary>Determines if the identity
        /// is a member of the specified role.</summary>
        /// <param name="role">The role to check.</param>
        /// <returns><c>true</c> if the identity
        /// is a member of <paramref name="role"/>.</returns>
        /// <exception cref="ArgumentNullException">Thrown if
        /// <paramref name="role"/> is <see langword="null"/>
        /// or <see cref="String.Empty"/>.</exception>
        public override bool IsInRole( string role ) {
            bool result;
            IList<string> groups;

            if ( string.IsNullOrEmpty( role ) ) {
                throw new ArgumentNullException( "role" );
            }

            result = false;

            groups = RoleGroupMapper.Mapper[ role ];

            foreach ( string group in groups ) {
                if ( principal.IsInRole( group ) ) {
                    result = true;
                    break;
                }
            }

            return result;
        }

        #endregion

        #region Constructor

        /// <summary>Creates a new instance of the principal.</summary>
        internal MyPrincipal() : base( WindowsIdentity.GetCurrent() ) {
            principal = new WindowsPrincipal( (WindowsIdentity)Identity );
        }

        #endregion
    }

So I now use CslaAuthentication = "Csla" and CslaAlwaysImpersonate (since I use Windows integrated auth on the remoting portal)?

Just want to make sure i'm getting this right.

Andy

sergeyb replied on Wednesday, June 04, 2008

Looks good to me.  WindowsPrincipal is serializable, so it should not have a problem going to DataPortal.

 

Sergey Barskiy

Senior Consultant

office: 678.405.0687 | mobile: 404.388.1899

cid:_2_0648EA840648E85C001BBCB886257279
Microsoft Worldwide Partner of the Year | Custom Development Solutions, Technical Innovation

 

From: ajj3085 [mailto:cslanet@lhotka.net]
Sent: Wednesday, June 04, 2008 9:19 AM
To: Sergey Barskiy
Subject: Re: [CSLA .NET] RE: AllowWrite et al.

 

Here's my principal class:
    [Serializable]
    public sealed class MyPrincipal : BusinessPrincipalBase {
        #region Fields

        private WindowsPrincipal principal;

        #endregion

        #region BusinessPrincipalBase overrides

        /// <summary>Determines if the identity
        /// is a member of the specified role.</summary>
        /// <param name="role">The role to check.</param>
        /// <returns><c>true</c> if the identity
        /// is a member of <paramref name="role"/>.</returns>
        /// <exception cref="ArgumentNullException">Thrown if
        /// <paramref name="role"/> is <see langword="null"/>
        /// or <see cref="String.Empty"/>.</exception>
        public override bool IsInRole( string role ) {
            bool result;
            IList<string> groups;

            if ( string.IsNullOrEmpty( role ) ) {
                throw new ArgumentNullException( "role" );
            }

            result = false;

            groups = RoleGroupMapper.Mapper[ role ];

            foreach ( string group in groups ) {
                if ( principal.IsInRole( group ) ) {
                    result = true;
                    break;
                }
            }

            return result;
        }

        #endregion

        #region Constructor

        /// <summary>Creates a new instance of the principal.</summary>
        internal MyPrincipal() : base( WindowsIdentity.GetCurrent() ) {
            principal = new WindowsPrincipal( (WindowsIdentity)Identity );
        }

        #endregion
    }

So I now use CslaAuthentication = "Csla" and CslaAlwaysImpersonate (since I use Windows integrated auth on the remoting portal)?

Just want to make sure i'm getting this right.

Andy


JoeFallon1 replied on Wednesday, June 04, 2008

Andy,

In 3.5 Rocky added a Delegate that you can use for this. The default uses IsInRole but if you add a config file setting it will use whatever function you tell it to. I have a function HasPermission which is finer grained than IsInRole.

Authorization (071030-VB/071127-C#)

Change authorization so it calls a delegate to process IsInRole(), rather than calling principal.IsInRole() directly. The default delegate implementation will call principal.IsInRole(), but now CSLA can be extended by implementing a provider for this delegate that can answer the IsInRole() question in different ways if needed.

====================================================================

In your custom principal class add a method that conforms to the delegate:

Private Shared Function HasPermissionProvider(ByVal principal As IPrincipal, ByVal permission As String) As Boolean
  Return CType(principal, MyPrincipal).HasPermission(permission)
End Function

====================================================================

In your config file:

<appSettings>
  <add key=”CslaIsInRoleProvider” value=”MyCo.BO.MyPrincipal,MyCo.BO,HasPermissionProvider” />
</appSettings>

====================================================================

Joe

ajj3085 replied on Wednesday, June 04, 2008

Ahh, so it did make it in there.  Sadly, I'm not on 3.5 yet... soon I hope.

tim.offermann replied on Friday, April 24, 2009

Hi!

Perhaps one additional bit of information regarding the current (up to 3.6.2) implementation of the evaluation of the CslaIsInRoleProvider config setting. Neither the Csla (AuthorizationRulesManager.IsInRole) nor the CreateDelegate function "trims" the method name from whitespaces. I accidentially used ", " as a delimiter instead of ',' and was struggeling for hours with an ArgumentException.

Best Regards, Tim

 

Copyright (c) Marimer LLC