Just a thought, but could you override SomePrincipal.IsInRole itself?
…assuming you are using CSLA principal…
Sergey Barskiy
Senior Consultant
office: 678.405.0687 |
mobile: 404.388.1899
Microsoft Worldwide Partner of the Year | Custom
Development Solutions, Technical Innovation
From: ajj3085
[mailto:cslanet@lhotka.net]
Sent: Tuesday, June 03, 2008 4:43 PM
To: Sergey Barskiy
Subject: [CSLA .NET] AllowWrite et al.
Hi,
I know this has been discussed before, but I'm not sure what the current state
is.
I don't want Csla, when checking privledges, to just to a .IsInRole on the
principal. I'd like to specify my own function to call, because I have my
own mapping of Windows AD Groups to application roles that I need to perform.
Is there anything in Csla right now that allows me to do this, or am I on my
own?
Thanks
Andy
Another thought is to have a class that will translate AD groups
to custom roles, as in
AuthorizationRules.AllowRead("SomePropName", MyTranslatorClass.GetADRolesList(new
string(){“CustomRole1”,”CustomRole2”}))
Sergey Barskiy
Senior Consultant
office: 678.405.0687 |
mobile: 404.388.1899
Microsoft Worldwide Partner of the Year | Custom
Development Solutions, Technical Innovation
From: ajj3085
[mailto:cslanet@lhotka.net]
Sent: Tuesday, June 03, 2008 4:57 PM
To: Sergey Barskiy
Subject: Re: [CSLA .NET] RE: AllowWrite et al.
I am using WindowsPrincipal.. was hoping to avoid building a
CslaPrincipal, buf it that's the best way to go right now..
Andy
Looks good to me. WindowsPrincipal is serializable, so it
should not have a problem going to DataPortal.
Sergey Barskiy
Senior Consultant
office: 678.405.0687 | mobile: 404.388.1899
Microsoft Worldwide Partner of the Year | Custom
Development Solutions, Technical Innovation
From: ajj3085 [mailto:cslanet@lhotka.net]
Sent: Wednesday, June 04, 2008 9:19 AM
To: Sergey Barskiy
Subject: Re: [CSLA .NET] RE: AllowWrite et al.
Here's my principal class:
[Serializable]
public sealed class MyPrincipal : BusinessPrincipalBase {
#region Fields
private WindowsPrincipal principal;
#endregion
#region BusinessPrincipalBase overrides
/// <summary>Determines if the
identity
/// is a member of the specified
role.</summary>
/// <param
name="role">The role to check.</param>
///
<returns><c>true</c> if the identity
/// is a member of <paramref
name="role"/>.</returns>
/// <exception
cref="ArgumentNullException">Thrown if
/// <paramref
name="role"/> is <see langword="null"/>
/// or <see
cref="String.Empty"/>.</exception>
public override bool IsInRole( string
role ) {
bool result;
IList<string>
groups;
if (
string.IsNullOrEmpty( role ) ) {
throw new ArgumentNullException( "role" );
}
result = false;
groups = RoleGroupMapper.Mapper[
role ];
foreach ( string group
in groups ) {
if
( principal.IsInRole( group ) ) {
result = true;
break;
}
}
return result;
}
#endregion
#region Constructor
/// <summary>Creates a new instance
of the principal.</summary>
internal MyPrincipal() : base(
WindowsIdentity.GetCurrent() ) {
principal = new
WindowsPrincipal( (WindowsIdentity)Identity );
}
#endregion
}
So I now use CslaAuthentication = "Csla" and CslaAlwaysImpersonate
(since I use Windows integrated auth on the remoting portal)?
Just want to make sure i'm getting this right.
Andy
Andy,
In 3.5 Rocky added a Delegate that you can use for this. The default uses IsInRole but if you add a config file setting it will use whatever function you tell it to. I have a function HasPermission which is finer grained than IsInRole.
Authorization (071030-VB/071127-C#)
Change authorization so it calls a delegate to process IsInRole(), rather than calling principal.IsInRole() directly. The default delegate implementation will call principal.IsInRole(), but now CSLA can be extended by implementing a provider for this delegate that can answer the IsInRole() question in different ways if needed.
====================================================================
In your custom principal class add a method that conforms to the delegate:
Private Shared Function HasPermissionProvider(ByVal principal As IPrincipal, ByVal permission As String) As Boolean
Return CType(principal, MyPrincipal).HasPermission(permission)
End Function
====================================================================
In your config file:
<appSettings>
<add key=”CslaIsInRoleProvider” value=”MyCo.BO.MyPrincipal,MyCo.BO,HasPermissionProvider” />
</appSettings>
====================================================================
Joe
Hi!
Perhaps one additional bit of information regarding the current (up to 3.6.2) implementation of the evaluation of the CslaIsInRoleProvider config setting. Neither the Csla (AuthorizationRulesManager.IsInRole) nor the CreateDelegate function "trims" the method name from whitespaces. I accidentially used ", " as a delimiter instead of ',' and was struggeling for hours with an ArgumentException.
Best Regards, Tim
Copyright (c) Marimer LLC