Best IT Recipes

Wcf data permission

How to use the [PrincipalPermission(SecurityAction.Demand, Role = "Administrators")] attribute for a class?

I am looking for a way to restrict access to my object i.e. if any object accesses the service method, and if the user has access rights to the service method, but does not have access rights to the object, an exception must be thrown

+4
authentication authorization wcf
Feb 19 '11 at 13:45
source share
2 answers

PrincipalPermission attribute can decorate a method or class. Therefore, you can restrict access to an instance of an object. There are a few things to do:

  • Configure the selected service and client binding to use security. Specify Windows as the client credential type.
  • Configure the service to use Windows groups for authorization.
  • The adorn class that will contain sensitive information with the PrincipalPermission attribute.

If you need to pass a singleton instance to the ServiceHost constructor, do the following:

  • Create an instance of the Singleton service. Thread.CurrentPrincipal must have the permissions necessary to access the confidential object.
  • Create an instance of ServiceHost by passing an instance of the oneton service. The InstanceContextMode property of the ServiceBehavior attribute must be set to InstanceContextMode.Single .

Otherwise:

  • Create an instance of ServiceHost by passing the type of service.

Optionally, decorate the service method with the FaultContract attribute and throw a FaultException from it to avoid a client channel failure.

Here is an example:

Service configuration file :

 <system.serviceModel> <services> <service name="Server.Service" behaviorConfiguration="Authorization"> <endpoint address="" binding="netTcpBinding" bindingConfiguration="TCP" contract="Common.IService" /> <host> <baseAddresses> <add baseAddress="net.tcp://localhost:13031/Service"/> </baseAddresses> </host> </service> </services> <bindings> <netTcpBinding> <binding name="TCP" openTimeout="00:30:00" closeTimeout="00:00:10" maxReceivedMessageSize="2147483647"> <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/> <security mode="Message"> <message clientCredentialType="Windows" /> </security> </binding> </netTcpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="Authorization"> <serviceAuthorization principalPermissionMode="UseWindowsGroups" /> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel>

Client configuration file :

 <system.serviceModel> <client> <endpoint name="NetTcpBinding_IService" address="net.tcp://localhost:13031/Service" binding="netTcpBinding" bindingConfiguration="TCP" contract="Common.IService" /> </client> <bindings> <netTcpBinding> <binding name="TCP" openTimeout="00:30:00" closeTimeout="00:00:10" sendTimeout="00:30:00" receiveTimeout="00:30:00" maxReceivedMessageSize="2147483647"> <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/> <security mode="Message"> <message clientCredentialType="Windows" /> </security> </binding> </netTcpBinding> </bindings> </system.serviceModel>

Confidential Information Class :

 [PrincipalPermission(SecurityAction.Demand, Role = "Administrators" ) ] public class ContactInfo { public string FirstName { get; set; } public string LastName { get; set; } public ContactInfo() { FirstName = "John"; LastName = "Doe"; } public override string ToString() { return string.Format( "{0} {1}", FirstName, LastName ); } }

Service contract and its implementation :

 [ServiceContract] public interface IService { [OperationContract] [FaultContract( typeof( string ) )] string GetName( int id ); } [ServiceBehavior] // Use following if singleton instance needs to be passed to `ServiceHost` constructor //[ServiceBehavior( InstanceContextMode = InstanceContextMode.Single )] public class Service : IService { private Dictionary<int, ContactInfo> Contacts { get; set; } public Service() { Contacts = new Dictionary<int, ContactInfo>(); IPrincipal originalPrincipal = Thread.CurrentPrincipal; try { Thread.CurrentPrincipal = new WindowsPrincipal( WindowsIdentity.GetCurrent() ); Contacts.Add( 1, new ContactInfo() ); } finally { Thread.CurrentPrincipal = originalPrincipal; } } public string GetName( int id ) { if ( Contacts.Count < id ) return null; try { return Contacts[ id ].ToString(); } catch ( Exception ex ) { throw new FaultException<string>( ex.Message ); } } }
+5
Feb 27 2018-11-22T00:
source share

If you are familiar with .NET-enabled coding (both mandatory and declarative), the template is exactly the same. In a declarative form, the PrincipalPermissionAttribute attribute is applied to the class method that implements the service contract:

 [PrincipalPermission(SecurityAction.Demand, Role = "Updaters")] public bool Update() { return true; }

This example checks the current director to see if he belongs to a role called Updaters. When the attribute is actually implemented, the IsInRole method for the principal is invoked.

For a mandatory definition of PrincipalPermissionAttribute, an instance of the PrincipalPermission class is created. The PrincipalPermission constructor accepts the username and role as a parameter. When creating an instance, the Demand method can be called to determine if the current chief administrator has the necessary permissions. The following example shows an example:

 PrincipalPermission p = new PrincipalPermission(null, "Updaters"); p.Demand();

The configuration should look like this:

 <behaviors> <serviceBehaviors> <behavior> ... <serviceAuthorization principalPermissionMode="UseWindowsGroups" /> </behavior> </serviceBehaviors> </behaviors>

for a working sample, please see: Authorization of access to service operations

+1
Feb 19 2018-11-21T00:
source share


More articles:


All Articles