Problem with custom authorization

Problem with custom authorization

Old forum URL: forums.lhotka.net/forums/t/1724.aspx

albruan posted on Thursday, November 09, 2006

I have created a custom Identity class and extended the Csla.Security.BusinessPrincipalBase classes in my BO library in order to implement an IsPermitted method.  This is something I've done with previous applications and it has performed as expected; however, it refuses to work at all in my current application.  The message I receive when I check IsPermitted is:

Cannot cast 'System.Threading.Thread.CurrentPrincipal' (which has an actual type of 'System.Security.Principal.GenericPrincipal') to 'Csla.Security.BusinessPrincipalBase'

In my extended BusinessPrincipalBase, IsPermitted is coded as follows:

public bool IsPermitted(string Department, string Role)
{
    RTPIdentity identity = (RTPIdentity)this.Identity;
    return identity.IsPermitted(Department, Role);
}

Identity is obtained via:

internal static RTPIdentity GetIdentity(string username, string password)
{
   return DataPortal.Fetch<RTPIdentity>(new Criteria(username, password));
}

This has me thoroughly confused since it's worked without a hitch in my other applications.  Does anyone have an idea why this is occurring?

albruan replied on Thursday, November 09, 2006

I neglected to include a few things.  First of all, I have a helper function in my UI layer as follows:

private bool IsPermitted(string department, string role)
{
   return ((Csla.Security.BusinessPrincipalBase)(System.Threading.Thread.CurrentPrincipal)).IsPermitted(department, role);
}

It is when I try to retrieve IsPermitted in the return statement that the problem occurs.

RockfordLhotka replied on Thursday, November 09, 2006

First, if your current principal is of type GenericPrincipal, then this can never work. You must set the current principal to be YOUR custom principal object at some point in your code. Look at Chapters 8 and 9 to see how to properly set up custom authentication.

Second, I recommend using Csla.ApplicationContext.User to get at the current principal. While your approach of using System.Threading is fine, it may fail to work correctly in certain web scenarios. This can even impact you with a smart client app if you decide to use a remote data portal, because that's typically hosted in ASP.NET. Csla.ApplicationContext.User is designed to allow you safe access to the current principal inside and outside of ASP.NET. (See Chapter 4 for full details)

Copyright (c) Marimer LLC