473,322 Members | 1,379 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Authorization problem

The following code doesn't produse the expected effect to only allow the
members of Administrators group to access the web method, it stops everyone.
=========
<WebMethod(), _
PrincipalPermission(SecurityAction.Demand, Role:="Administrators")> _
Public Function HelloWorld() As String
Return "Hello World"
End Function
=========

The web service folder is set to require only Windows Authentication, which
goes fine. I can get the user credentials whitout any problem.

What is wrong?
TIA
Nov 18 '05 #1
10 1074
Did you try MACHINE\Administrators or the proper domain suffix? Windows
roles always have a prefix in .NET.

Joe K.

"Nikolay Petrov" <jo**************@mail.bg> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
The following code doesn't produse the expected effect to only allow
the members of Administrators group to access the web method, it stops
everyone.
=========
<WebMethod(), _
PrincipalPermission(SecurityAction.Demand, Role:="Administrators")> _
Public Function HelloWorld() As String
Return "Hello World"
End Function
=========

The web service folder is set to require only Windows Authentication,
which goes fine. I can get the user credentials whitout any problem.

What is wrong?
TIA

Nov 18 '05 #2
I have tried this. Doesn't help.
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:%2****************@TK2MSFTNGP09.phx.gbl...
Did you try MACHINE\Administrators or the proper domain suffix? Windows
roles always have a prefix in .NET.

Joe K.

Nov 18 '05 #3
Are you certain that the client is being authenticated with Windows
authentication? It would probably be a good idea to dump out the value of
Context.User.Identity.Name and make sure it is the user that you think it
is.

Joe K.

"Nikolay Petrov" <jo**************@mail.bg> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
I have tried this. Doesn't help.
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:%2****************@TK2MSFTNGP09.phx.gbl...
Did you try MACHINE\Administrators or the proper domain suffix? Windows
roles always have a prefix in .NET.

Joe K.


Nov 18 '05 #4
I have done that. It is fine.
Something else is broken. The auditing don't show nothing also.

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:ef**************@TK2MSFTNGP09.phx.gbl...
Are you certain that the client is being authenticated with Windows
authentication? It would probably be a good idea to dump out the value of
Context.User.Identity.Name and make sure it is the user that you think it
is.

Joe K.

"Nikolay Petrov" <jo**************@mail.bg> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
I have tried this. Doesn't help.
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote in message news:%2****************@TK2MSFTNGP09.phx.gbl...
Did you try MACHINE\Administrators or the proper domain suffix? Windows
roles always have a prefix in .NET.

Joe K.



Nov 18 '05 #5
One other thing to check:

Can you do a programmatic check instead of a declarative one? Try
Context.User.IsInRole("machine\administrators") or
Thread.CurrentPrincipal.IsInRole("machine\administ rators")?

Those should do the same thing as the declarative demand, but it is worth a
shot.

Another thing to try is to use reflection on _GetRoles private method on
WindowsIdentity to see what the actual values are. This can be helpful for
troubleshooting Windows group resolution. Don't use this in production
though!

Google will dig up a bunch of code samples showing how to do that if you
need it.

Joe K.

"Nikolay Petrov" <jo**************@mail.bg> wrote in message
news:eV**************@TK2MSFTNGP15.phx.gbl...
I have done that. It is fine.
Something else is broken. The auditing don't show nothing also.

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:ef**************@TK2MSFTNGP09.phx.gbl...
Are you certain that the client is being authenticated with Windows
authentication? It would probably be a good idea to dump out the value
of Context.User.Identity.Name and make sure it is the user that you think
it is.

Joe K.

Nov 18 '05 #6
Never heard of reflection ;-)
how to do?
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:em**************@TK2MSFTNGP14.phx.gbl...
One other thing to check:

Can you do a programmatic check instead of a declarative one? Try
Context.User.IsInRole("machine\administrators") or
Thread.CurrentPrincipal.IsInRole("machine\administ rators")?

Those should do the same thing as the declarative demand, but it is worth
a shot.

Another thing to try is to use reflection on _GetRoles private method on
WindowsIdentity to see what the actual values are. This can be helpful
for troubleshooting Windows group resolution. Don't use this in
production though!

Google will dig up a bunch of code samples showing how to do that if you
need it.

Joe K.

"Nikolay Petrov" <jo**************@mail.bg> wrote in message
news:eV**************@TK2MSFTNGP15.phx.gbl...
I have done that. It is fine.
Something else is broken. The auditing don't show nothing also.

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote in message news:ef**************@TK2MSFTNGP09.phx.gbl...
Are you certain that the client is being authenticated with Windows
authentication? It would probably be a good idea to dump out the value
of Context.User.Identity.Name and make sure it is the user that you
think it is.

Joe K.


Nov 18 '05 #7
'imports System.Security.Principal
'imports System.Reflection

Function GetRoles(byval identity as WindowsIdentity) as String()

Dim idType As Type
idType = GetType(WindowsIdentity)
Dim result As Object =
idType.InvokeMember("_GetRoles",BindingFlags.Stati c Or
BindingFlags.InvokeMethod Or BindingFlags.NonPublic,Nothing, identity, New
Object() {identity.Token}, Nothing)
Dim roles() As String = DirectCast(result, String())
Return roles

End Function

Like I said, this is for troubleshooting only, not for production code.
This may not work in future versions of the framework, but does on 1.1.

Joe K.

"Nikolay Petrov" <jo**************@mail.bg> wrote in message
news:OH**************@TK2MSFTNGP12.phx.gbl...
Never heard of reflection ;-)
how to do?
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:em**************@TK2MSFTNGP14.phx.gbl...
One other thing to check:

Can you do a programmatic check instead of a declarative one? Try
Context.User.IsInRole("machine\administrators") or
Thread.CurrentPrincipal.IsInRole("machine\administ rators")?

Those should do the same thing as the declarative demand, but it is worth
a shot.

Another thing to try is to use reflection on _GetRoles private method on
WindowsIdentity to see what the actual values are. This can be helpful
for troubleshooting Windows group resolution. Don't use this in
production though!

Google will dig up a bunch of code samples showing how to do that if you
need it.

Joe K.

"Nikolay Petrov" <jo**************@mail.bg> wrote in message
news:eV**************@TK2MSFTNGP15.phx.gbl...
I have done that. It is fine.
Something else is broken. The auditing don't show nothing also.

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote in message news:ef**************@TK2MSFTNGP09.phx.gbl...
Are you certain that the client is being authenticated with Windows
authentication? It would probably be a good idea to dump out the value
of Context.User.Identity.Name and make sure it is the user that you
think it is.

Joe K.



Nov 18 '05 #8
Ok, I'll try it tommorow and let you know.
Thanks for help.
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:%2****************@TK2MSFTNGP12.phx.gbl...
'imports System.Security.Principal
'imports System.Reflection

Function GetRoles(byval identity as WindowsIdentity) as String()

Dim idType As Type
idType = GetType(WindowsIdentity)
Dim result As Object =
idType.InvokeMember("_GetRoles",BindingFlags.Stati c Or
BindingFlags.InvokeMethod Or BindingFlags.NonPublic,Nothing, identity, New
Object() {identity.Token}, Nothing)
Dim roles() As String = DirectCast(result, String())
Return roles

End Function

Like I said, this is for troubleshooting only, not for production code.
This may not work in future versions of the framework, but does on 1.1.

Joe K.

"Nikolay Petrov" <jo**************@mail.bg> wrote in message
news:OH**************@TK2MSFTNGP12.phx.gbl...
Never heard of reflection ;-)
how to do?
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote in message news:em**************@TK2MSFTNGP14.phx.gbl...
One other thing to check:

Can you do a programmatic check instead of a declarative one? Try
Context.User.IsInRole("machine\administrators") or
Thread.CurrentPrincipal.IsInRole("machine\administ rators")?

Those should do the same thing as the declarative demand, but it is
worth a shot.

Another thing to try is to use reflection on _GetRoles private method on
WindowsIdentity to see what the actual values are. This can be helpful
for troubleshooting Windows group resolution. Don't use this in
production though!

Google will dig up a bunch of code samples showing how to do that if you
need it.

Joe K.

"Nikolay Petrov" <jo**************@mail.bg> wrote in message
news:eV**************@TK2MSFTNGP15.phx.gbl...
I have done that. It is fine.
Something else is broken. The auditing don't show nothing also.

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote in message news:ef**************@TK2MSFTNGP09.phx.gbl...
> Are you certain that the client is being authenticated with Windows
> authentication? It would probably be a good idea to dump out the
> value of Context.User.Identity.Name and make sure it is the user that
> you think it is.
>
> Joe K.



Nov 18 '05 #9
Hi,
I'm using form authentication with Active Directory not a Database.
Can you give me a hint how i can GetRoles from the Active Directory and
later perform Authorisation?
Thx

"Joe Kaplan (MVP - ADSI)" wrote:
'imports System.Security.Principal
'imports System.Reflection

Function GetRoles(byval identity as WindowsIdentity) as String()

Dim idType As Type
idType = GetType(WindowsIdentity)
Dim result As Object =
idType.InvokeMember("_GetRoles",BindingFlags.Stati c Or
BindingFlags.InvokeMethod Or BindingFlags.NonPublic,Nothing, identity, New
Object() {identity.Token}, Nothing)
Dim roles() As String = DirectCast(result, String())
Return roles

End Function

Like I said, this is for troubleshooting only, not for production code.
This may not work in future versions of the framework, but does on 1.1.

Joe K.

"Nikolay Petrov" <jo**************@mail.bg> wrote in message
news:OH**************@TK2MSFTNGP12.phx.gbl...
Never heard of reflection ;-)
how to do?
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:em**************@TK2MSFTNGP14.phx.gbl...
One other thing to check:

Can you do a programmatic check instead of a declarative one? Try
Context.User.IsInRole("machine\administrators") or
Thread.CurrentPrincipal.IsInRole("machine\administ rators")?

Those should do the same thing as the declarative demand, but it is worth
a shot.

Another thing to try is to use reflection on _GetRoles private method on
WindowsIdentity to see what the actual values are. This can be helpful
for troubleshooting Windows group resolution. Don't use this in
production though!

Google will dig up a bunch of code samples showing how to do that if you
need it.

Joe K.

"Nikolay Petrov" <jo**************@mail.bg> wrote in message
news:eV**************@TK2MSFTNGP15.phx.gbl...
I have done that. It is fine.
Something else is broken. The auditing don't show nothing also.

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote in message news:ef**************@TK2MSFTNGP09.phx.gbl...
> Are you certain that the client is being authenticated with Windows
> authentication? It would probably be a good idea to dump out the value
> of Context.User.Identity.Name and make sure it is the user that you
> think it is.
>
> Joe K.



Nov 18 '05 #10
I think the standard Forms Authentication with ASP.NET article is an okay
starting point. I'd suggest you rip out their group lookup code and replace
it with some code that uses tokenGroups instead of memberOf. There are many
advantages to this approach.

http://support.microsoft.com/default...b;en-us;326340
http://groups.google.com/groups?hl=e...TNGP12.phx.gbl

If you are having trouble with ASP.NET and security contexts in S.DS, please
read this too:
http://support.microsoft.com/default...b;en-us;329986

The alternatives to this are to use the LogonUser API or SSPI to
authenticate the user and create a Windows token that can be turned into a
WindowsPrincipal for role-based authorization. This approach is actually
better in many ways to the LDAP approach, but might not work in all
situations. These have also been discussed endlessly on the public
newsgroups.

Joe K.

"Patrick.O.Ige" <Pa*********@discussions.microsoft.com> wrote in message
news:D5**********************************@microsof t.com...
Hi,
I'm using form authentication with Active Directory not a Database.
Can you give me a hint how i can GetRoles from the Active Directory and
later perform Authorisation?
Thx

"Joe Kaplan (MVP - ADSI)" wrote:
'imports System.Security.Principal
'imports System.Reflection

Function GetRoles(byval identity as WindowsIdentity) as String()

Dim idType As Type
idType = GetType(WindowsIdentity)
Dim result As Object =
idType.InvokeMember("_GetRoles",BindingFlags.Stati c Or
BindingFlags.InvokeMethod Or BindingFlags.NonPublic,Nothing, identity,
New
Object() {identity.Token}, Nothing)
Dim roles() As String = DirectCast(result, String())
Return roles

End Function

Like I said, this is for troubleshooting only, not for production code.
This may not work in future versions of the framework, but does on 1.1.

Joe K.

"Nikolay Petrov" <jo**************@mail.bg> wrote in message
news:OH**************@TK2MSFTNGP12.phx.gbl...
> Never heard of reflection ;-)
> how to do?
>
>
> "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
> wrote
> in message news:em**************@TK2MSFTNGP14.phx.gbl...
>> One other thing to check:
>>
>> Can you do a programmatic check instead of a declarative one? Try
>> Context.User.IsInRole("machine\administrators") or
>> Thread.CurrentPrincipal.IsInRole("machine\administ rators")?
>>
>> Those should do the same thing as the declarative demand, but it is
>> worth
>> a shot.
>>
>> Another thing to try is to use reflection on _GetRoles private method
>> on
>> WindowsIdentity to see what the actual values are. This can be
>> helpful
>> for troubleshooting Windows group resolution. Don't use this in
>> production though!
>>
>> Google will dig up a bunch of code samples showing how to do that if
>> you
>> need it.
>>
>> Joe K.
>>
>> "Nikolay Petrov" <jo**************@mail.bg> wrote in message
>> news:eV**************@TK2MSFTNGP15.phx.gbl...
>>>I have done that. It is fine.
>>> Something else is broken. The auditing don't show nothing also.
>>>
>>> "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
>>> wrote in message news:ef**************@TK2MSFTNGP09.phx.gbl...
>>>> Are you certain that the client is being authenticated with Windows
>>>> authentication? It would probably be a good idea to dump out the
>>>> value
>>>> of Context.User.Identity.Name and make sure it is the user that you
>>>> think it is.
>>>>
>>>> Joe K.
>>
>>
>
>


Nov 18 '05 #11

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: phreeskier | last post by:
i want to implement authorization with windows authentication and don't have the slightest clue of how to do this implementation. the basic windows authentication for this .NET application is...
3
by: zbychu | last post by:
Hi, I have a problem with a special sql. My configuration : IBM DB2 V8.1.5 / AIX Procedure: CREATE PROCEDURE DB2TARAN.SetSessionAutor() SPECIFIC x.SetSessionAutor LANGUAGE SQL P1: BEGIN
3
by: nick | last post by:
Hi, How should I write the web.config file to allow some of the aspx files be executable to all users and others are required users to login? All the aspx files are in the same folder.
15
by: Shaun Wilde | last post by:
I am not sure if this is a .NET bug/feature and IIS5 one or a combination of the 2 so here goes I have a situation where when I call an ASP.NET webservice running under windows 2000 (I assume...
9
by: Bijoy Naick | last post by:
I've implemented forms authentication and authorization on my application. In my Web.Config, my authorization section looks like this.. <authorization> <allow roles="admin" /> <deny users="*"...
1
by: Shapper | last post by:
Hello, In my web site I need to restrict the access to page1.aspx, page2.aspx and page3.aspx to users which had login and which access level is "administrator". The remaining pages can be...
1
by: sonu | last post by:
Mark is creating a website using ASP.NET. He is using Forms authentication for authenticating and authorizing users. He has the following layout of files and directories in his website: Root...
1
by: Anthony Small | last post by:
Hello, I have a login.aspx page that is associated with a theme. When I view the page login.aspx with forms authentication/authorization set as below in the web.config file the theme displays on...
0
by: Douglas J. Badin | last post by:
Hi, The problem with Authorization is it stops at the first match and doesn't permit Grouping. On the Web Site, I am trying to Secure Page Access and SiteNaviagation by implementing the...
4
by: Max2006 | last post by:
Hi, I have the following tags in my root web.config file: <authorization> <allow roles="RoleA,RoleB"/> <deny users="*"/> </authorization> I also have a public folder in my application...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.