I've got a web service where different methods require different roles,
and I'm trying to enforce that now.
I've worked out *one* way of doing things, using
PrincipalPermis sionAttribute - but that ends up with a response of 500
rather than a 403.
What's the best way of demanding roles for execution of individual web
methods? Obviously I can write a CheckRole method which sets the
response code appropriately, but then if I'm executing a method which
takes parameters, how do I tell the web method not to write all the
rest of the normal response out? Response.End()?
--
Jon Skeet - <sk***@pobox.co m> http://www.pobox.com/~skeet
If replying to the group, please do not mail me too 5  3436 
When making a web request over http, the status code 500 is the response
for most exceptions.
You may want to look at the Policy mechanism in WSE 2.0 to enforce
role-based authorization. http://msdn.microsoft.com/library/de...e2wspolicy.asp
Jon Skeet [C# MVP] wrote: I've got a web service where different methods require different roles,
and I'm trying to enforce that now.
I've worked out *one* way of doing things, using
PrincipalPermis sionAttribute - but that ends up with a response of 500
rather than a 403.
What's the best way of demanding roles for execution of individual web
methods? Obviously I can write a CheckRole method which sets the
response code appropriately, but then if I'm executing a method which
takes parameters, how do I tell the web method not to write all the
rest of the normal response out? Response.End()?
<Drew Robbins <"drew at drewby.com">> wrote: When making a web request over http, the status code 500 is the response
for most exceptions.
Yes - it shouldn't be for this condition though :(
You may want to look at the Policy mechanism in WSE 2.0 to enforce
role-based authorization.
http://msdn.microsoft.com/library/de...ary/en-us/dnws
e/html/wse2wspolicy.as p
Right. I've been trying to avoid all of that stuff for the moment
(partly because I'm using the Compact Framework to talk to the
webservice, so I want to keep things simple).
I think I'll just work out some way of returning normally from the
method having set the response code, and suppress the content of the
response.
--
Jon Skeet - <sk***@pobox.co m> http://www.pobox.com/~skeet
If replying to the group, please do not mail me too
"Jon Skeet [C# MVP]" <sk***@pobox.co m> wrote in message
news:MP******** *************** @msnews.microso ft.com... <Drew Robbins <"drew at drewby.com">> wrote: When making a web request over http, the status code 500 is the response
for most exceptions.
Yes - it shouldn't be for this condition though :(
To return HTTP code 403 you might have to fail it already in the HttpModule
where you do the digest authentication (I'm not sure if you can hack the web
method somehow to get it to return HTTP 403 (see (*)). Handling it in the
HttpModule *and* also allow declarative permissions in the web methods, you
would have to reflect the web method, see if it has the PrincipalPermis sion
attribute, then check if the user belongs to the role and then possibly
fail. This is a fair amount of work and you'd be writing similar plumbing
that WSE gives you pretty much out of the box...
A bigger question is is it ok to couple the authentication logic with
transport? This depends largely on your requirements, but in general, HTTP
digest authentication for web services is a dead-end as are all
transport-based authentication schemes. They won't do if you want to
authenticate over other transports, over multiple hops, or have support for
WS-Security. Again, WSE would be the real answer here.
(*) I made a quick experiment with the following code in the web method:
Context.Respons e.Clear();
Context.Respons e.StatusCode = 403;
Context.Respons e.StatusDescrip tion = "Access Denied";
Context.Respons e.Write("<h2>Ac cess Denied</h2>");
Context.Respons e.End();
but it just ends up returning error code 500 anyway with a
ThreadAbortExce ption. Most likely the Web Service infrastructure in ASP.NET
does not like you trying to change the HTTP response from within the web
method.
You may want to look at the Policy mechanism in WSE 2.0 to enforce
role-based authorization.
http://msdn.microsoft.com/library/de...ary/en-us/dnws
e/html/wse2wspolicy.as p
Right. I've been trying to avoid all of that stuff for the moment
(partly because I'm using the Compact Framework to talk to the
webservice, so I want to keep things simple).
I think I'll just work out some way of returning normally from the
method having set the response code, and suppress the content of the
response.
As it sometimes happens, trying to keep it simple may end up making things
unnecessarily complicated :)
Regards and YMMV,
Sami
Sami Vaaraniemi <sa**********@p leasejippii.fi> wrote: "Jon Skeet [C# MVP]" <sk***@pobox.co m> wrote in message
news:MP******** *************** @msnews.microso ft.com... <Drew Robbins <"drew at drewby.com">> wrote: When making a web request over http, the status code 500 is the response
for most exceptions.
Yes - it shouldn't be for this condition though :(
To return HTTP code 403 you might have to fail it already in the HttpModule
where you do the digest authentication (I'm not sure if you can hack the web
method somehow to get it to return HTTP 403 (see (*)). Handling it in the
HttpModule *and* also allow declarative permissions in the web methods, you
would have to reflect the web method, see if it has the PrincipalPermis sion
attribute, then check if the user belongs to the role and then possibly
fail. This is a fair amount of work and you'd be writing similar plumbing
that WSE gives you pretty much out of the box...
Yes - unfortunately WSE isn't in the picture at the moment.
I'm getting somewhere setting the HTTP code in the web service, but
still investigating at the moment. Unfortunately, it's fairly hard to
look at what's coming down the wire when I'm testing with a Pocket PC
connected with USB.
If I could very easily and robustly work out what web method was going
to be called (beyond just parsing the URL - doable but slightly flaky,
I suspect) I would put the authorization rules in an XML form
somewhere, akin to how servlets work. Unfortunately I can't see any way
of finding out what method is going to be called programatically before
it *is* called. I may well have missed something though...
A bigger question is is it ok to couple the authentication logic with
transport? This depends largely on your requirements, but in general, HTTP
digest authentication for web services is a dead-end as are all
transport-based authentication schemes. They won't do if you want to
authenticate over other transports, over multiple hops, or have support for
WS-Security. Again, WSE would be the real answer here.
For other situations, you're absolutely right. In this case, a
transport authentication mechanism is fine, although I'd prefer not to
couple the *authorization* mechanism in there.
We're abusing web services in a few ways to make the bandwidth more
reasonable, as this is going over GPRS. Some calls have to be made with
HTTP POST rather than SOAP for that reason.
(*) I made a quick experiment with the following code in the web method:
Context.Respons e.Clear();
Context.Respons e.StatusCode = 403;
Context.Respons e.StatusDescrip tion = "Access Denied";
Context.Respons e.Write("<h2>Ac cess Denied</h2>");
Context.Respons e.End();
but it just ends up returning error code 500 anyway with a
ThreadAbortExce ption. Most likely the Web Service infrastructure in ASP.NET
does not like you trying to change the HTTP response from within the web
method.
I think it doesn't mind that - it's the call to End() which causes
problems, by throwing an exception. I'm not sure where it sets the code
to 200 though - if it does that after the web method has executed, I
could have problems. Ah well - I'll keep experimenting.
--
Jon Skeet - <sk***@pobox.co m> http://www.pobox.com/~skeet
If replying to the group, please do not mail me too
Jon Skeet [C# MVP] <sk***@pobox.co m> wrote: Ah well - I'll keep experimenting.
Current solution seems to work. Each web method has something like:
if (!CheckRole (...)) return;
or
if (!CheckRole (...)) return null;
CheckRole looks like this:
bool CheckRole(strin g role)
{
if (!Context.User. Identity.IsAuth enticated)
{
Context.Respons e.StatusCode = 401;
Context.Respons e.StatusDescrip tion = "Access Denied";
// Context.Respons e.SuppressConte nt = true;
return false;
}
if (!Context.User. IsInRole(role))
{
Context.Respons e.StatusCode = 403;
Context.Respons e.StatusDescrip tion = "Forbidden" ;
// Context.Respons e.SuppressConte nt = true;
return false;
}
return true;
}
For some reason, suppressing the content makes the server hang - no
idea why yet. That's a slight pity, but not significantly problematic.
That all seems to work, and has the benefit of allowing anonymous
access for the service description. If anyone knows any way of
improving the above, or why it's awful and should be avoided like the
plague, do let me know :)
--
Jon Skeet - <sk***@pobox.co m> http://www.pobox.com/~skeet
If replying to the group, please do not mail me too This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Greg Ferris |
last post by:
I have read a number of posts with techniques for limiting the max
number of characters entered into a textarea, but I'm looking for some
advice on how to limit the number of rows and the number of characters
per row.
Basically, I need to allow users to enter up to 5 rows of data with up
to 40 characters per row, regardless of whether or not the user has
explicitly entered any line breaks. I also need to consider where to
break off each...
|
by: roberto3214 |
last post by:
Hi Guys,
How are you? I have recently begun some testing on IIS 6.0 in regards
to an asp.net application. After lots of testing I decided to create a
simple 1k page size webpage to find out whats the max rps I can
achieve. So I installed Microsoft Application Stress Tool (WAS) and
started testing. I setup basic 2 tests page does no processing
whatsoever:
TEST 1
|
by: Kallis |
last post by:
Hello,
I have the following situation when trying to localize my software:
I have BIG solution with about 80 projects. In one of the projects I
have a number of dialogs (the dialog project :-) ). I have decided
that I do not want to use the "form"-mechanism (using the property
"localized=true") for localization since the strings I show are not
that "constant" during the life time of the dialog. Thus, I have to
put the resources in...
|
by: Guadala Harry |
last post by:
Is there any way for one Session to remove and update objects in another
Session? I seriously doubt it, but thought I'd ask. Here's why: I have some
data that is unique per user (or per session - similar to "welcome back,
Jim" after Jim logs in) and consumed across multiple pages. This "per user"
data lives in a database, so toward improving runtime performance I want to
cache data supporting this and similar per user features. Because the...
|
by: needin4mation |
last post by:
Hi, I have to decide between a per device and a per license issue. We
have several web services that have functions that use things like
LOGON_USER. If I have a per device license, does that mean things like
LOGON_USER go away? Or that I cannot use Windows Integrated
Authentication for UNC file server stuff, web pages, etc.? Thank you.
| | |
by: Randy Yates |
last post by:
I'm a complete newbie to postgres so please look the
other way if these questions are really stupid.
Is it legitimate to have one database per data file? For
organizational and backup purposes, I'd like to keep the
database files for each of several projects separate.
This means, e.g., that postmaster must have multiple
instances going simultaneously?
I'm thinking the answer is NO because, for one, the TCPIP
|
by: bruno at modulix |
last post by:
Hi
I'm currently playing with some (possibly weird...) code, and I'd have a
use for per-instance descriptors, ie (dummy code):
class DummyDescriptor(object):
def __get__(self, obj, objtype=None):
if obj is None:
return self
return getattr(obj, 'bar', 'no bar')
|
by: Matias Jansson |
last post by:
I come from a background of Java and C# where it is common practise to have
one class per file in the file/project structure. As I have understood it,
it is more common practice to have many classes in a Python module/file.
What is the motivation behind it, would it be a bad idea to have a guideline
in your project that promotes a one class per file structure (assuming most
of the programmers a background similar to mine)?
|
by: bakxchaixDD |
last post by:
I DON'T GET THIS
project:
Many treadmills output the speed in miles per hour. However, most runners think of their pace in minutes and seconds per mile. Write a program that inputs a decimal value for miles per hour and converts the value to minutes and seconds per mile.
Sample input, output:
For input 5.5 mph, the output should be 10 minutes and 55 seconds per mile.
For input 4 mph, the output should be 15 minutes and 0 seconds...
|
by: raveekumarg |
last post by:
hi
what is the difference between per seat , per server , per processor and i am new to sql 2000 , pl do explain the same.
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
