I am writing a new application which uses Forms Authentication, and has been
seperated into layers (UI, Logic, Data Access). Right now all the layers are
self contained in my application...which may be broken out at a later date.
Also these layers have a seperate namespace as well such as
BusinessLogicLayer, DataAccessLayer, etc... On my methods within the
Business Logic and Data Access, I am wanting to use the Principal Permission
Attribute.
For example I have a class called State & StateCollection which holds U.S.
State information such as name and FIPS code. One method called GetStates()
demands that a user have a certain role.
''' <summary>
''' Gets all states and their associated information
''' </summary>
''' <returns>A collection of states</returns>
<PrincipalPermission(SecurityAction.Demand, Role:="modifyPropects")_
Public Shared Function GetStates() As StateCollection
Dim dbConn As DataAccessLayer.DataAccessBase =
DataAccessLayer.DataAccessBaseHelper.GetDataAccess Layer
Dim dt As Data.DataTable = dbConn.SelectStates()
Dim stCol As New StateCollection
For Each row As Data.DataRow In dt.Rows
stCol.Add(New State(row.Item("stateFIPS"), row.Item("state"),
row.Item("code")))
Next
Return stCol
End Function
When I try to call this method from the UI the principal permission
attribute specified in the business logic layer is ignored, and the states
list is displayed...It should give me a security exception. However if I do
this instead: If HttpContext.Current.User.IsInRole("modifyPropects" ) and
throw an exception manually it works. Thus, I know roles are getting
assigned as this type of check does work ok.
Can anyone tell me how to properly set up the global.asax file to allow the
principal permission attribute to function in an N-Tier type layout? I was
trying to follow:
http://www.leastprivilege.com/Contex...Principal.aspx but I
am not having any luck.