if my project doesn't need authorization what i have to do ?

That exception is gone in 3.6 btw.

In 3.6 the rules are (by default) simpler:

1.       With CslaAuthentication=Csla the principal is serialized through the data portal, so it must be serializable – that’s the only constraint

2.       With CslaAuthentication=Windows the principal is unaffected by the data portal and CSLA uses whatever principal exists on the client and server – it is up to you and IIS and WCF and ASP.NET and whatever other technologies to get the principal values to be correct

And if CslaAuthentication=Csla, you can provide a bit of code that is run at the start of every single server call, where you can authenticate the principal provided by the client. This is where I used to throw the BusinessPrincipal exception, but now it is open for you to do whatever you think is best for your app.

Rocky

That's good to know, thanks! I was naively responding with my limited experience with the "Principal must be of type BusinessPrincipal, not..." exception in mind.

I remember writing about it :)

But you are right – I don’t see it in the index either. Fortunately it is relatively easy.

You need to do this:

1.       Create a class that implements Csla.Server.IAuthorizeDataPortal, which means you’ll implement an Authorize() method

2.       In that Authorize() method throw an exception to block an inbound request, or don’t throw an exception to allow the request to be processed

3.       Set the CslaAuthorizationProvider config value to your assembly-qualified type name: “MyAssembly.MyAuthorizer,MyAssembly” on the data portal server (so typically in web.config)

The Authorize() method is handed a parameter that allows you to see (and I suppose manipulate) everything that’s known about the inbound request. This occurs immediately after the inbound objects are deserialized from the client, and before anything else (so you aren’t in a transaction yet, or anything like that).

Rocky