[SOLVED] Security
Printed From: IdeaBlade
Category: DevForce
Forum Name: DevForce Classic
Forum Discription: For .NET 2.0
URL: http://www.ideablade.com/forum/forum_posts.asp?TID=428
Printed Date: 11-Jun-2026 at 6:01pm
Topic: [SOLVED] Security
Posted By: Linguinut
Subject: [SOLVED] Security
Date Posted: 13-Sep-2007 at 1:18pm
|
What is the best way to handle role-based security in the CAB?
Thanks,
Bill
|
Replies:
Posted By: Bill Jensen
Date Posted: 13-Sep-2007 at 5:13pm
|
This question is a little like asking "In 25 words or less...discuss China".
I'm out of the office through Monday. I'll be happy to address this when I return on Tuesday.
Bill J.
|
Posted By: Linguinut
Date Posted: 13-Sep-2007 at 5:23pm
| No problem. I can introduce the security aspect later in the project. |
Posted By: davidklitzke
Date Posted: 13-Sep-2007 at 7:01pm
|
I don't know why you would look at role-based authorizarion in Cabana applications any differently than you would look at role-based authorization in any other kind of IdeaBlade application. In particular, I encourage you to look at the Advanced Tutorial on Role-based Authorization. |
Posted By: Linguinut
Date Posted: 14-Sep-2007 at 9:37am
|
Well, for one, I could load/not load modules based on the user's role. This involves the ProfileCatalog.xml file in some way. Also, I want to make sure that I am not missing out on taking advantage of IOC/dependency injection. A service would be a great place to put this kind of thing, I imagine. That kind of application structure is a bit different. Nevertheless, I am looking at any documentation, samples and videos that I can lay my hands on. I am currently reviewing (again) your seminar on Securing Your Application. Thanks! |
Posted By: Linguinut
Date Posted: 17-Sep-2007 at 10:47am
|
How does the following actually work? <Section Name="Sales">
<Dependencies> <Dependency Name="Foundation" /> </Dependencies> <Modules> <ModuleInfo AssemblyFile="Spiratex.Aspire.Sales.dll"> <Roles> <Role Allow="Sales"/> </Roles> </ModuleInfo> </Modules> </Section> Will this work if I have an AD group called 'Sales'? |
Posted By: Bill Jensen
Date Posted: 18-Sep-2007 at 11:04am
|
CAB only loads the Spiratex.Aspire.Sales module if the current Principal responds true to IsInRole("Sales"). Is that the question?
Bill J.
|
Posted By: Linguinut
Date Posted: 18-Sep-2007 at 12:18pm
|
Yup. Essentially. That is exactly what I expected; however, that is not what is happening. I made myself a member of the sales group, but the module does not load. I also added the "Domain Admins" group to the module (which I am already a part of) -- <Role Allow="Domain Admins"/> --, but that did not work, either. Is there something else I need to "turn on" or "turn off" within the app?
I expect this would work on a view level, too, if I utilized the proper attributes and reflection. Is that right?
|
Posted By: Bill Jensen
Date Posted: 18-Sep-2007 at 1:42pm
|
How are you authorizing (assigning roles)? Are roles stored in the your database? How do they find their way into the Principal for the running application? See the Login() method at LoginManager (in CabanaCo.Cabana.Model) line 76.
Bill J.
|
Posted By: Linguinut
Date Posted: 19-Sep-2007 at 12:06pm
|
All roles should be retrieved from the Active Directory. The LoginManager did not have the GetUserRoles method implemented, so I added code to iterate through the WindowsIdentity groups collection and slipped each group name into the string collection that is returned to create the IPrincipal object.
This does not work. Either the LoginManager is not being called (although the LoginManagerRequired property of the ibConfig file is set to true--debugging now), or I implemented the GetUserRoles method improperly, as follows.
WindowsIdentity wid = WindowsIdentity.GetCurrent(false); List<string> groups = new List<string>(); IdentityReferenceCollection irc = wid.Groups.Translate(typeof(NTAccount)); foreach (NTAccount acc in irc) { groups.Add(acc.Value); } return groups.ToArray(); Another consideration is the "Applicable to server only" statement. If I am running this app without BOS (for development purposes), then is the login manager not being used?
Thanks,
Bill
|
Posted By: Linguinut
Date Posted: 19-Sep-2007 at 12:28pm
|
Two issues worked against me:
1) The "acc.Value" from the above code returns an ALL CAPS string. I just needed to make the ProfileCatalog entries reflect that.
2) The domain name is included in the group name (or local machine, if a local group), so I needed to remove the domain name from the string.
It is working, now.
 |
Posted By: Bill Jensen
Date Posted: 19-Sep-2007 at 12:57pm
| Great! |