Print Page | Close Window

RequiresRoles problem

Printed From: IdeaBlade
Category: DevForce
Forum Name: DevForce 2010
Forum Discription: For .NET 4.0
URL: http://www.ideablade.com/forum/forum_posts.asp?TID=2622
Printed Date: 11-Jun-2026 at 5:22am


Topic: RequiresRoles problem
Posted By: ands
Subject: RequiresRoles problem
Date Posted: 15-Apr-2011 at 2:51am
Hi

I've just started with DevForce, so maybe my lack of experience is the cause of misunderstanding.
I am trying to use declarative [RequiresRoles] in my class: 

[RequiresRoles("admin")]
public class EntityServerQueryManager : EntityServerQueryInterceptor {
}

My web.config configuration:
 <objectServer>
      <serverSettings useAspNetSecurityServices="true" allowAnonymousLogin="true" loginManagerRequired="true" />
 </objectServer>
...
 <system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
 </system.serviceModel>

Next I try fetch data (without login) and fill my datagrid.
I expect some exception (PersistenceSecurityException) but my datagrid show all records - Why ?
Principal is not authenticated and roles are empty.

When I change my class to identical (page 382 DeveloperGuide) :
public class EntityServerQueryManager : EntityServerQueryInterceptor {
protected override bool AuthorizeQuery() {
return Principal.IsInRole("admin");
}
}

I receive correct message about cancel operation.

I've tried with RequiresAuthentication also but I can still get data.

My DF version is 6.0.9 

Kind regards
Andrzej


Replies:
Posted By: robertg
Date Posted: 15-Apr-2011 at 12:09pm
Andrej,

There are several things this could be.

First, do you have roles required in your config? There should be a statement like:

<system.web>
  <roleManager enabled="true" />
</system.web>

The other possibility that comes to mind is that you don't have the rights of the roles specified properly. You can require particular roles for either CanQuery or CanSave on either the entity level, or in the query interceptor. I believe that in your case, you want to have entity-level authorization set. You can find information on this in the DRC at:

http://drc.ideablade.com/xwiki/bin/view/Documentation/authorize#HEntity-levelauthorization

-- Robert

Posted By: ands
Date Posted: 16-Apr-2011 at 1:36am

Hi

I agree with you that my example does not make much sense, and that certainly the better solution is to use entity-level Authorization, but I wanted in this way to discover and learn how it works
At the beginning I checked [RequiresAuthentication], but without positive result, then I tried [RequiresRoles ("admin ")].

For simplicity, I used your sample project from  \ 080_Security \ Silverlight \ Codecs \ ASPNET Membership with Registration
, where I changed:

1. Page.xaml.cs - line 136 //btnFetch.IsEnabled = false;
2. web.config
<?xml version="1.0"?>
<configuration>
  <configSections>
    <section name="ideablade.configuration" type="IdeaBlade.Core.Configuration.IdeaBladeSection, IdeaBlade.Core" />
  </configSections>
  <connectionStrings>
    <add name="NorthwindIBEntities" connectionString="metadata=res://*/Code.NorthwindIB.csdl|res://*/Code.NorthwindIB.ssdl|res://*/Code.NorthwindIB.msl;provider=System.Data.SqlClient;provider connection string=&quot;Data Source=.;Initial Catalog=NorthwindIB;Integrated Security=True;MultipleActiveResultSets=True&quot;" providerName="System.Data.EntityClient" />  
  </connectionStrings> 

  <ideablade.configuration version="6.00" xmlns="http://schemas.ideablade.com/2010/IdeaBladeConfig" >
    <logging logFile="log\DebugLog.xml"/>
    <objectServer>
      <serverSettings useAspNetSecurityServices="true"  allowAnonymousLogin="true" loginManagerRequired="true" />
    </objectServer>
  </ideablade.configuration>
  <system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
  </system.serviceModel>
  <system.web>
    <authentication mode="Forms"/>
    <roleManager enabled="true" />     
    <compilation debug="true" targetFramework="4.0">
      <assemblies>
        <add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
      </assemblies>
    </compilation>
  </system.web>
</configuration>

Based on the assumption, that the class EntityServerQueryManager has [RequiresAuthentication] option, recovery of data should not be possible.

... but the DataGrid shows records.

In addition I apply  [RequiresRoles ("admin")] effect is the same.

   [RequiresAuthentication]
   [RequiresRoles ("admin ")]
   public class EntityServerQueryManager: EntityServerQueryInterceptor {
   }

I’ve checked Can Query and Can Save properties on Customer entity, These are Default value


Why is this happening. Is there something I forgot?

Kind regards

Andrzej

Posted By: ands
Date Posted: 26-Apr-2011 at 12:09am
Hi,
Is this the tradition of this forum to wait for a reply half months ?????????
 
Kind regards
Andrzej

Posted By: kimj
Date Posted: 26-Apr-2011 at 7:07am
Hi Andrzej,
 
The RequiresRoles attribute doesn't actually work when placed on the interceptor.  Our previous documentation was incorrect.  The DevForce Resource Center has the corrected information on where/when you can use this attribute.
 
In your case you may instead want to add some simple code to the interceptor's AuthorizeQuery, but there are other options too.  Here's more information - http://drc.ideablade.com/xwiki/bin/view/Documentation/authorize - http://drc.ideablade.com/xwiki/bin/view/Documentation/authorize
 
 
Kim Johnson


Print Page | Close Window