Hi, I am developing a security module for my system and have run into a problem with authorizing users. I use a WCF service as a remote data portal and also use the CSLA Authorization Provider to call my class "CustomAuthorizer" to verify the user and set up the identity and principal objects.
What is happening is that when the user is authorized and the identity and principal is created on the service I set the csla.applicationcontext.user = CustomPrincipal. When processing returns to the client application however, the role set up on the service is not in the client's applicationcontext.
Hoping someone can help me with this.
User principal is one-way only, from client to server.
I assume you are using a custom principal and identity object (derived from CslaPrincipal and CslaIdentity).
You should authorize the user, possibly by making a separate call to the server, and set the ApplicationContext.User on the client. The principal object will then be transferred to the server when AuthorizationMode is set to anything but Windows (as the windowsprincipal is not serialzable). So the idea is that your"CustomAuthorizer" can check for explicit roles or do other "data driven" authorizations before the execution hits actual code and keep this code in just one place.
Thanks for the quick reply!
Now that I know the User principal is only one-way, things make a lot more sense now. I did change my program so it does the role set-up on the client side and still does separate checks on the server for every dataportal method.
Copyright (c) Marimer LLC