All geek questions in one place

How can I guarantee that IsInRole checks do not use cached credentials

I have a WPF client that connects to the WCF service, and I want to block some functions so that only certain users can perform certain actions. The WCF service represents the client when the service methods are executed. OS - Windows XP.

I read this question as part of my investigation on how to properly use user roles for functions in my application (I want to assign users to AD security groups and then check IsInRole), and I am worried that cached permissions will allow users who have permissions were granted to access functions to which they no longer have permission. Conversely, I am also concerned that users who have their permissions enabled will need to log out of their Windows account, or even that the WCF service may need to be restarted (worst case scenario) before they can access the new functions.

What is the easiest way to ensure that both the client and server can immediately see the changes in the AD security groups?

+6
source share
1 answer

You can always implement your own membership provider that AD requests. This is pretty easy, and you'll be sure that all permissions estimates are accurate, or at least the way you want.

If you find that the request to the AD server at each evaluation will be "expensive" in performance, you can create your own cache on the client, which you can force to update periodically or on demand. This cache can be as simple as an indexed list (like a dictionary) of permissions, which you can request pretty quickly.

Here is a good article on how to interact with AD: http://www.codeproject.com/KB/system/everythingInAD.aspx

+2
source

Source: https://habr.com/ru/post/892734/

More articles:


All Articles