Jerry,
For something like this, I would a ServicedComponent. You can derive a
class from ServicedComponent, and then assign roles to each method on the
class, allowing only certain members of each role to make the call.
To do this, you would start by placing the following attributes on your
assembly:
// Indicate that this should run out of process.
[assembly: ApplicationActivation(ActivationOption.Server)]
// Specify that the types in this assembly (that derive from
ServicedComponent) require access control.
[assembly:ApplicationAccessControl(true,
AccessChecksLevel=AccessChecksLevelOption.ApplicationComponent,
Authentication=AuthenticationOption.Privacy,
ImpersonationLevel=ImpersonationLevel.Identify)]
The first attribute, ApplicationActivation, indicates that the
components in the application (your ServicedComponents) will run out of
process. This is needed if you are going to authenticate calls on the
class/interface/method level.
The ApplicationAccessControl attribute indicates how access to the types
in the application are handled. true means that you have to authenticate
calls. AccessChecksLevel indicates whether you want to authenticate on the
process level, or for every call. The value of ApplicationComponent means
that every call will be authenticated. ImpersonationLevel indicates what
identity the application should run under. With
ImpersonationLevel.Identify, it will be able to identify (and authenticate)
the caller, but the process will run under the user account that you
specify. Authentication is how you want to protect the messages as they
travel between client and server. The Privacy value is the highest level,
making sure that the contents were encrypted, and not modified.
Then, on the component level, you will have to define the interface for
the component that you want to limit calls on. For each method of the
interface, you would attach the following attribute:
public interface IInterface
{
[SecurityRole("AllowedDoSomethingCallers")]
void DoSomething();
}
Then, you implement this on your class. When the class is registered
with COM+, you will see that there is a role specified in the roles for the
application called AllowedDoSomethingCallers. To this, you can easily add
and remove users and groups (although you should always add groups, and you
can do this through the UI or programatically) to the role. Then, when
someone from outside of that role tries to make a call, an exception is
thrown, denying the call.
For more information, check out the section of the .NET framework
documentation titled "Writing Serviced Components", located at (watch for
line wrap):
http://msdn.microsoft.com/library/d...guide/html/cpconWritingServicedComponents.asp
Most of the information you will need is located there. It's a lot to
take in, and it seems convoluted, but in reality, it handles most of the low
level plumbing for this and other kinds of tasks (like object pooling,
activation, transaction management, among other things), and saves a
tremendous amount of time once you become accustomed to it.
Hope this helps.
