.NET Remoting Return SecurityException IMessage

[Guest]

Not that I've ever gotten any reponse to questions in the past, but I don't
know where else to turn.
I have a remoting application (.NET 2.0, VS 2005, C#) with a custom
ChannelSinkProvider as described in this article
http://msdn2.microsoft.com/en-us/library/ms973909.aspx

This example uses role-based security by way of decorating each method with
[PrinciplePermissionAttribute(SecurityAction.Demand, Role="Administrator")]
or some other programmer defined role.

It works fine... the problem is, the user has no idea why the action is not
being performed, it just silently fails if the user is not a member of the
specified role. I would like to capture this SecurityException message and
send it back to the user as a Response to their request, then handle the
Response by printing it to the status bar in the client application.

But I can't figure out where to capture this exception and create the
response message because it's an attribute on the method. Where would the
exception occur? My code is identical to the code at the above website.

 

[Jialiang Ge [MSFT]]

Hello,

From your post, my understanding on this issue is: you wonder how to catch
the SecurityException thrown by PrinciplePermissionAttribute when the
security check fails. If I'm off base, please feel free to let me know.

As we know, the PrinciplePermissionAttribute provides another way of
validating the current user's credentials. It serves the same purpose as
the PrincipalPermission class, but it's used declaratively. In other words,
we attach it to a given class or method, and the CLR checks it
automatically when the corresponding code runs. The exception handling now
works a little bit differently from what we do for PrincipalPermission
class: *this time we cannot catch the exception within the function on
which the attribute has been applied. We have to catch the exception in the
function that actually calls this function.* For instance, if you apply the
PrincipalPermission attribute on an event procedure (such as Button_Click)
of an ASP.NET web project, we have to catch the exception in the global
Application_Error event which can be found in global.asax file. Please
check if your client is allowed to add the try {} catch around the method
call. If it is not allowed, I would like to suggest using
PrincipalPermission class
(http://msdn2.microsoft.com/en-us/library/system.security.permissions.princi
palpermission(VS.80).aspx), rather than PrincipalPermissionAttribute.

Please let me know if you have any other concerns, or need anything else.

Sincerely,
Jialiang Ge ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
For MSDN subscribers whose posts are left unanswered, please check this
document: http://blogs.msdn.com/msdnts/pages/postingAlias.aspx

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express/Windows Mail, please make sure
you clear the check box "Tools/Options/Read: Get 300 headers at a time" to
see your reply promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Yes, thank you very much Jialiang... your interpretation of my puzzlement was
right on base.

So, based on what you are telling me, I can simply capture the "Response"
from the method by placing the call from the remote client in a try{} catch
{} clause?

I don't need to append the denial message to the IMessage object in the
MessageSink chain?

Ultimately, this is what I'd like to get to... I have the Remote Server
running on a network machine which is a domain member. The clients are also
network machines within the same domain. The "services," which I call Remote
Objects are located on the server machine, as well, with similar signatures...

[PrinciplePermissionAttribute(SecurityAction.Demand, Role="GroupMember")]
public RemoteableObject GetData()
{
RemoteableObject thisRemObj = new RemoteableObject();

// do some work

return thisRemObj;
}

So in the client I would use the following pattern to access this Remote
Object through an Interface

private void AccessRemoteObject()
{
IGetData data =
(IGetData)Activator.GetObject(typeof(IGetData),string.Format("tcp://{0}:{1}/{2}/GetData",Server ,PortNumber , ApplicationName));
RemoteableObject RO = new RemoteableObject();
try {
RO = data.GetData()
}
catch (SecurityException se) {
Trace.Write(se.Message.ToString());
}
}

But I'll be using Asynchronous access, so I'm guessing this should also work
by way of a delegate within the client with a callBack handler... does this
sound pheasible?

 

[Jialiang Ge [MSFT]]

Hello,

As we see, if it is a synchronous call, we can simply add the try {} catch
around the method data.GetData(). But if it is an asynchronous one, adding
the try {} catch around BeginInvoke may not help. We need to add the try
catch around the EndInvoke call in its call back function.

If you have any other question or need anything else, please feel free to
let me know.

Sincerely,
Jialiang Ge ([email protected], remove 'online.')
Microsoft Online Community Support

=================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from your issue.
=================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jialiang Ge [MSFT]]

Hello,

Would you mind letting me know the result of the suggestions. Please feel
free to let me know if you further questions or concerns.

Sincerely,
Jialiang Ge ([email protected], remove 'online.')
Microsoft Online Community Support

=================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from your issue.
=================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Yes, thank you very much for your help. The first post led me to the correct
capture location where I was able to communicate back to the user, the
results of their request. This also works in the callback of an asynchronous
request.

Thanks again,

Sam Martinez