Home/ Questions/Q 6101895
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T13:33:07+00:00

I’m working on a new security infrastracture for my organization. Since we develop systems

  • 0

I’m working on a new security infrastracture for my organization. Since we develop systems for the inside organization use I’d like to use Windows Authentication, but for the authorization we manage a separate Oracle DB (for historical reasons). My idea was to use PrincipalPermissionAttribute defining 

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);

in Global::Application_Start
and

<system.web>
    <compilation debug="true" targetFramework="4.0" />
    <authorization>
      <deny users="?"/>
    </authorization>
    <roleManager **defaultProvider="MyRoleProvider"**
      enabled="true"
      cacheRolesInCookie="true"
      cookieName=".ASPROLES"
      cookieTimeout="30"
      cookiePath="/"
      cookieRequireSSL="false"
      cookieSlidingExpiration="true"
      cookieProtection="All" >
      <providers>
        <clear />
        <add
          name="MyRoleProvider"
          type="WcfServiceLibrary1.MyRoleProvider"
          connectionStringName="Service1"
          applicationName="InfraTest"
          writeExceptionsToEventLog="true" />
      </providers>
    </roleManager>
  </system.web>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpEndpointBinding">
          <security mode="TransportCredentialOnly">
            <transport **clientCredentialType="Windows"** />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <services>
      <service name="WcfService1.Service1">
        <endpoint address="WcfAuthenticationTest" binding="basicHttpBinding"
          bindingConfiguration="BasicHttpEndpointBinding" name="BasicHttpEndpoint"
          contract="WcfService1.IService1">
          <identity>
            <dns value="localhost"/>
          </identity>
        </endpoint>
        <host>
          <baseAddresses>
            <add baseAddress="http://localhost/WcfAuthentication"/>
          </baseAddresses>
        </host>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceAuthorization **principalPermissionMode="UseAspNetRoles"**/>
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true"/>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>

in my Web.config using my custom role provider that should access the Oracle DB to check the role. But I can not make it work. Is there any way to make the PrincipalPermissionAttribute work in this way or may be the entire concept is wrong? I thought of implementing my custom CodeAccessSecurityAttribute but it is not that simple so I prefer not to do it
Does anybody have any idea of the issue? I’ll be glad to get some answers

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There are two things that I’ve learned lately. First af all my concept was right, I can use PrinciplePermissionAttribute with costom role provider, the second is that I was totaly confused with the web.config tags. tag is used for the asp .net settings, while is used for WCF settings. So a liitle bit configuration solved the entire problem. Here is the right configuration

    <?xml version="1.0"?>
<configuration>

  <system.web>
    <compilation debug="true" defaultLanguage="c#" targetFramework="4.0" />

    <roleManager enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES"
      defaultProvider="MyRoleProvider">
      <providers>
        <clear />
        <add connectionStringName="Service1" applicationName="InfraTest"
          writeExceptionsToEventLog="false" name="MyRoleProvider" type="SecLib.MyRoleProvider" />
      </providers>
    </roleManager>

  </system.web>
  <system.serviceModel>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpBindingConfiguration" closeTimeout="00:01:00"
          sendTimeout="00:10:00" maxBufferSize="524288" maxReceivedMessageSize="524288">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <services>
      <service name="WcfRoleProviderTestService.Service1"
               behaviorConfiguration="BasicHttpServiceBehavior" >
        <endpoint name="BasicHttpEndpoint"
                  contract="WcfRoleProviderTestService.IService1"
                  address="WcfAuthenticationTest"
                  binding="basicHttpBinding"
                  bindingConfiguration="BasicHttpBindingConfiguration" />
        <host>
          <baseAddresses>
            <add baseAddress="http://localhost/WcfRoleProviderTestService/" />
          </baseAddresses>
        </host>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="BasicHttpServiceBehavior">
          <serviceAuthorization principalPermissionMode="UseAspNetRoles"
            roleProviderName="MyRoleProvider" impersonateCallerForAllOperations="true" />
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
        </behavior>
        <behavior name="">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>
 <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>
</configuration>
    • 0