Question about declaritive Role Based security...

  • Thread starter Ray Cassick \(Home\)
  • Start date
R

Ray Cassick \(Home\)

I have some code that looks like this for one of my classes:

Imports System.Security
Imports System.Security.Permissions
Imports System.Security.Principal

<PrincipalPermission(SecurityAction.Demand, Role:="RUS\GEM_Admin")> _
Public Class GccAdmin
Public Sub New()
End Sub
End Class

The intent here is to make sure that the class cannot be instanced unless
the caller has the correct DomainName\GroupName privileges.

All here is fair and well until I start to think about what this implies. To
me at least, this implies that the domain name is made part of the assembly
at build time. What happens if I want to run this on a different domain?

Seems like I am missing something here...

Anyone care to clear this question up?


--
Raymond R Cassick
CEO / CSA
Enterprocity Inc.
www.enterprocity.com
3380 Sheridan Drive, #143
Amherst, NY 14227
V: 716-316-7537
Blog: http://spaces.msn.com/members/rcassick/
 
K

Ken Tucker [MVP]

Hi,


Here is how I do it. If you throw an exception in the new
procedure the class isnt instanced.

Public Class test



Public Sub New()

Dim id As WindowsIdentity = WindowsIdentity.GetCurrent()

Dim wp As New WindowsPrincipal(id)

If Not wp.IsInRole("RUS\GEM_Admin") Then

Throw New Security.SecurityException("Unauthorized User")

Return

End If

End Sub

Public Sub Hello()

MessageBox.Show("Hello World")

End Sub

End Class



Ken

--------------------------

I have some code that looks like this for one of my classes:

Imports System.Security
Imports System.Security.Permissions
Imports System.Security.Principal

<PrincipalPermission(SecurityAction.Demand, Role:="RUS\GEM_Admin")> _
Public Class GccAdmin
Public Sub New()
End Sub
End Class

The intent here is to make sure that the class cannot be instanced unless
the caller has the correct DomainName\GroupName privileges.

All here is fair and well until I start to think about what this implies. To
me at least, this implies that the domain name is made part of the assembly
at build time. What happens if I want to run this on a different domain?

Seems like I am missing something here...

Anyone care to clear this question up?


--
Raymond R Cassick
CEO / CSA
Enterprocity Inc.
www.enterprocity.com
3380 Sheridan Drive, #143
Amherst, NY 14227
V: 716-316-7537
Blog: http://spaces.msn.com/members/rcassick/
 
R

Ray Cassick \(Home\)

But this still requires me to hard code the domain name in the assembly. I
don't know the domain name that my assembly is going to run under but I do
know the group name I need to require.

Is there any way that I can do this without having to hard code the domain
name as part of the group name string?
 
K

Kevin Hodgson

Don't hardcode the domain name. Allow it to be set in your application, or
read it from a .config file where it can be set after installation. Then
when you create the Security Principals, construct the Domain and Group and
handle the exception if it doesn't exist.

Alternatively, In a single domain environment, you could find the domain the
currently logged in user is a member of, and then construct your
DOMAIN\GEM_Admin as a member of that domain.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Role bassed security question. 1
Declaritive security attribute help! 2
NTFS permissions 3
Enumerate AD groups 4
Looking for control that displays HTML 6
VS.NET 2005, visual inheritance, and MustInherit 2
Get an objects value as a string 6
VS.NET 2005 and VB.NET xml comments. 3

Top