Security

Security

Old forum URL: forums.lhotka.net/forums/t/1521.aspx

yh_ink posted on Tuesday, October 17, 2006

I am implementing security to my classes.This is what i do within the static method

public static XYZ New(){

if (!Thread.CurrentPrincipal.IsInRole("Test"))//Identity.IsAuthenticated)

throw new System.Security.SecurityException("User not authorized");

return (XYZ)DataPortal.Create(new Criteria(string.Empty, string.Empty));

}

When i Run i am an autheticated user but it throws an exception.

But when i do this

public static XYZ New(){

return (XYZ)DataPortal.Create(new Criteria(string.Empty));

}

public override BusinessBase Save()

{

if (IsDeleted)

{

System.Security.Principal.IIdentity user = Thread.CurrentPrincipal.Identity;

bool b = user.IsAuthenticated;

if (!Thread.CurrentPrincipal.Identity.IsAuthenticated)

throw new Exception("User not authorized to remove the user");

}

else

{

if (!Thread.CurrentPrincipal.Identity.IsAuthenticated)

throw new Exception("User not authorized to add or update the user");

}

return base.Save();}

The Businessbase Save() here checks for the the authetication and works perfect.

My question is cant we check for authetication when the new object is created???

 

jkellywilkerson replied on Tuesday, October 17, 2006

Are you getting a Security Exception or are you getting an exception because you are passing two parameters to the Criteria constructor?  I did not know if that was a type-o or not.

Kelly.

yh_ink replied on Wednesday, October 18, 2006

I have a security exception.

SonOfPirate replied on Wednesday, October 18, 2006

I would suggest looking at what the Thread.CurrentPrincipal actually is and the type of authentication you are using.  The difference between the two code samples you gave is that you are only checking IsAuthenticated in the one that works but you are looking for the "Test" role in the one that fails.  That tells me that whatever the CurrentPrincipal actually is, it is authenticated but NOT in the "Test" role.

It is possible that you are not setting the CurrentPrincipal to the user that you expect or that the roles aren't being set right, etc.  Set a breakpoint in your code and evaluate what is being returned by CurrentPrincipal (WindowsPrincipal, GenericPrincipal, your custom principal, etc.) and see if this is the case.  If so, you will need to work backwards to find where the CurrentPrincipal should be getting set and make your correction there.

 

yh_ink replied on Wednesday, October 18, 2006

Hey,

Instead of Checking IsRoles thought its an IsAuthenticated it turns out to throw exception.

When i put the break point and look at CurrentPrincipal.IsAutheticated

it show IsAuthentication is set to false.and throws an exception.

But how does it work fine in the second case which i listed above.How does  IsAuthenticated check for right User with right roles.

yh_ink replied on Wednesday, October 18, 2006

could anyone please help me know about how the security has to be set based on the user role for the classes.So that a class should work based on authetication.If the user is authenticated it has to work else throw an exception saying not Authenticated.  

Copyright (c) Marimer LLC