如何使用PrincipalPermissionAttribute类

Question

I have a webservice exposing certain methods. I want to restrict access of some of those methods to a particular group of users. On searching over the internet, I found that PrincipalPermissionAttribute class is what I need, but i did not get good enough example. Can anyone explain how this works?

This is how my web.config file looks like:

<System.Web>
 <authentication mode="windows">
 <authorization>
   <allow user="domain\group" />
 </authorization>
</System.Web>

Now the webservice method (C# Rest Webservice) that I want to restrict access is:

public void DeleteAction(string resourceId)
{
}

I have done two things:

1)

[PrincipalPermission(SecurityAction.Demand, role="domain\\group")]
   public void DeleteAction(string resourceId)
   {
      // delete action
   }

I get the following error message: "request for principal permission failed" and the second thing is how can I make the value of role to be dynamic ie selecting it from Web.config file rather than hardcoding it.

2)

public void DeleteAction(string resourceId)
   {
     WindowsIdentity wi = new WindowsIdentity.GetCurrent();
     WindowsPrincipal wp = new WindowsPrincipal(wi);

     if(wp.IsInRole("domain\\group"))
     {
       // delete action
     }
   }

In this approach, it works fine when I use a console program to host the webservice. When this service is hosted in IIS, I am not able to get this working. The user is never identified ie wp.IsInRole("domain\\group") is returning false.

I know, I am missing something here. Any help is appreciated.

Thanks,

Answer 1

It sounds like a user authentication issue. If you do not know who is the user you won't be able to know the permissions using the WindowsPrincipal.

Please make sure that your website is not using Asp.Net impersonation and that the forms authentication is enabled.

IIS -> WebSite -> Authentication

Take a look to the IIS Authentication

Regards,