All geek questions in one place

Can I use a custom UserNamePasswordValidator as a role provider?

In connection with this question , I have a custom UserNamePasswordValidator, which is included in our internal API. As part of this registration, I can find out the roles of users in our system.

I would like to use them later in PrincipalPermissionAttribute requests for service methods, for example:

[OperationContract]
[PrincipalPermission(SecurityAction.Demand, Role = "System Administrator")]
public string HelloWorld()
{ /* ... */ }
+3
source share
2 answers

To expand Ladislav's answer:

. UserNamePasswordValidator . UserNamePasswordValidator ( - ) OperationContext, .

. , . : , .

, ServiceCredentials -derived, App.config, :

<serviceBehaviors>
  <behavior name="...">
    <serviceAuthorization principalPermissionMode="Custom" />

    <serviceCredentials type="MyNamespace.MyServiceCredentials, MyAssembly">
      <userNameAuthentication userNamePasswordValidationMode="Custom" />

      <serviceCertificate etc. />
    </serviceCredentials>

.

ServiceCredentials.CreateSecurityTokenManager, MySecurityTokenManager, ServiceCredentialsSecurityTokenManager. CreateSecurityTokenAuthenticator, a MySecurityTokenAuthenticator. CustomUserNameSecurityTokenAuthenticator. ValidateUserNamePasswordCore. , .

: MyAuthorizationPolicy, IAuthorizationPolicy. (hah) :

public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
    IList<IIdentity> identities = GetIdentities(evaluationContext);

    // Find the GenericIdentity with our user-name in it.
    IIdentity currentIdentity = identities.SingleOrDefault(
        i => i is GenericIdentity &&
        StringComparer.OrdinalIgnoreCase.Equals(i.Name, UserName));
    if (currentIdentity == null)
        throw new InvalidOperationException("No Identity found");

    // Replace the GenericIdentity with a new one.
    identities.Remove(currentIdentity);
    var newIdentity =
        new GenericIdentity(_userName, currentIdentity.AuthenticationType);
    identities.Add(newIdentity);

    // This makes it available as
    // ServiceSecurityContext.Current.PrimaryIdentity later.
    evaluationContext.Properties["PrimaryIdentity"] = newIdentity;

    // This makes it available as Thread.CurrentPrincipal.
    IPrincipal newPrincipal = new GenericPrincipal(newIdentity, _roles);
    evaluationContext.Properties["Principal"] = newPrincipal;

    return true;
}

private static IList<IIdentity> GetIdentities(
    EvaluationContext evaluationContext)
{
    object identitiesProperty;
    if (!evaluationContext.Properties.TryGetValue(
        "Identities", out identitiesProperty))
    throw new InvalidOperationException("No Identity found");

    var identities = identitiesProperty as IList<IIdentity>;
    if (identities == null)
        throw new InvalidOperationException("No Identity found");
    return identities;
}

, , PrincipalPermission:

[PrincipalPermission(SecurityAction.Demand, Role = "Editor")]
+6

, , Principal. , , , , - , , . , , . . WCF. .

+2

Source: https://habr.com/ru/post/1761272/

More articles:


All Articles