WindowsPrincipal.IsInRole actually check roles and NOT groups?

[Andy]

Hi,

I currently have my application setup and built using Windows
Authentication (WindowsPrincipal). For security checks, I simply do
an IsInRole call on the Principal. The role permissions are hard-
coded, something like this:

private static string[] allowedReadRoles = new string[] { "Sales",
"Ordering" };

I now need to brand my application, and while the roles will remain
the same, the problem is that IsInRole is functioning via group
membership. The branding will be for other companies, which are owned
by the same owners, and use the same office buildings, network /
domain and computers are the main company (the other companies have
less than 10 people).

So, adding the users for Company B to existing groups isn't really an
option... they'd have access to the application for Company A. In the
database that would work, since I add logons for new groups and map
them to existing database roles. For my code though, I don't see a
way to do this. I could provide a similar mapping, but that would
require me to update multiple databases to do the mappings each time I
add a new role to the application.

Any other ideas? Has anyone used Authentication Manager, which allows
you to define real roles, not AD Groups? Is there anything that puts
actual roles in WindowsPrincipal.IsInRole, not just windows groups?
It seems an odd thing; AD groups aren't roles, yet WindowsPrincipal
treats them as such.

Thanks
Andy

 

[Marc Gravell]

Well, if it helps, even with windows identity you can provide your own
roles definitions. If you can look them up from somewhere,
GenericPrincipal may be of use - alternatively create your own
IPrincipal that performs IsInRole... (perhaps prepending an NT name
onto the role per instance?)

But essentially you are going to have to store the data somewhere...

Some ideas...

Mac

using System;
using System.Security;
using System.Security.Permissions;
using System.Security.Principal;
using System.Threading;
static class Program
{
static void Main()
{
string[] userRoles = { "Sales" };
Thread.CurrentPrincipal = new
GenericPrincipal(WindowsIdentity.GetCurrent(), userRoles);
TestSales();
try
{
TestAdmin();
}
catch (SecurityException)
{
Console.WriteLine("Admin failed ;-p");
}
}
[PrincipalPermission(SecurityAction.Demand, Role="Sales")]
static void TestSales() { Console.WriteLine("Sales"); }
[PrincipalPermission(SecurityAction.Demand, Role = "Admin")]
static void TestAdmin() { Console.WriteLine("Admin"); }
}
// another idea for separating the data...
class SuffixPrincipal : IPrincipal
{
private readonly IPrincipal parent;
private readonly string roleSuffix;
public SuffixPrincipal(IPrincipal parent, string roleSuffix)
{
if (parent == null) throw new ArgumentNullException("parent");
this.parent = parent;
this.roleSuffix = roleSuffix;
}
public IIdentity Identity { get { return parent.Identity; } }
public bool IsInRole(string role)
{
return parent.IsInRole(role + roleSuffix);
}
}