WCF RIA authorization via local Windows groups_问答_开发者

WCF RIA authorization via local Windows groups

开发者 https://www.devze.com 2023-04-04 18:28 出处：网络

I\'m currently developing a WFC RIA based Silverlight Business Application (intranet use only) for my company. I ran into a couple of problems when trying to authorize users. Here is the situation:

I'm currently developing a WFC RIA based Silverlight Business Application (intranet use only) for my company. I ran into a couple of problems when trying to authorize users. Here is the situation:

The app is running in our Windows domain and is therefore using Windows Authentication, which already works well. Access to certain domain service operations shall be restricted to members of a certain group (let's say "Admins"). This group is available locally on the server where the app is hosted and is already used to restrict access to the SQL Server instance. It will not be possible to add this group to the domain and make it available globally.

开发者_运维技巧

I know that I can restrict access to domain service methods via the RequiresRole[] attribute. The problem is, however, that the local group memberships of a user are not loaded into the user object that is available via WebContext.Current.User and therefore the authorization fails.

Is there any workaround or better way to do this?

Thanks in advance!

Have you tried setting the "PrincipalPermission" attribute on the service method you want to restrict?

[PrincipalPermission(SecurityAction.Demand, Role = "Admin")]
public string GetResult()
{
   return "result";
}

Best regards, Arjen

I solved my issue.

What I did was to copy the AspnetDb database to the SQL Server instance on my server machine. This database is holding all the information about users, roles, etc and is used by the ASP.NET role manager for authorization purposes. This database is usually located in the project folder of your Web project (inside the App_Data directory). To make the new configuration work, you have to change the connection string inside your Web.config (for more details: http://weblogs.asp.net/scottgu/archive/2005/08/25/423703.aspx).

I manually added new users to the database. The user name you enter there must match the Windows user name (eg. DOMAIN\USER_NAME). Then you can add new roles to the database and give all your users their specific roles.

The ASP.NET role manager automatically loads the roles/users on application startup and you can restrict access to your domain service methods via the RequiresRole[] attribute.

In addition, there is also a way to dynamically show/hide/enable/disable user controls based on role membership, see here: http://blogs.msdn.com/b/kylemc/archive/2010/05/04/authorization-sample-201.aspx