如何确保 IsInRole 检查不使用缓存的凭据

Question

I have a WPF client that connects to a WCF service, and I want to lock down some of the functionality so that only certain users can perform certain actions. The WCF service impersonates the client user when executing service methods. The OS is Windows XP.

I was reading this question as part of my investigation into the best way to apply user roles to features in my application (I want to assign users to AD security groups, and then check IsInRole), and am worried that cached permissions will allow users who have had their permissions reduced to access functionality they no longer have permission to. Conversely, I am also worried that users who have had their permissions upgraded will need to log out of their windows account, or even that the WCF service might have to be restarted (worst case scenario) before they can access the new functionality.

What is the simplest way to ensure that both client and server can immediately see changes to the AD security groups?

Answer 1

You can always implement your own membership provider that queries the AD. It's pretty easy and you'll be sure that all permission evaluations are accurate, or at least exactly as you want them to be.

If you find querying the AD server on each evaluation to be "expensive" on performance you can create your own cache on the client which you can force to refresh periodically or on demand. This cache can be as simple as an indexed list (like a Dictionary) of permissions that you can query pretty fast.

Here's a good article on how to interact with AD: http://www.codeproject.com/KB/system/everythingInAD.aspx