isInRole doesn't work for one user, but works for everyone else

D

Dominick Baier

Hi,

i must admin - i don't really understand your logic.

why don't you just call User.IsInRole("role"); ???

another note - the documentation states that your are only allowed to call SetPrincipalPolicy once per AppDomain - maybe something is wrong here...

You only have to call SetPrincipalPolicy if no plumbing has populated Thread.CurrentPrincipal for you (e.g. in a console / winforms app) - but ASP.NET does that.



---
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<[email protected]>

I have an ASP.NET/C# application in which I verify that the current user is a
member of a list of roles before giving them access to particular functions
of the application (read vs update). I am using the IsInRole method of the
IPrincipal object to check for role membership. Currently, I am just
checking the domain/username against a list of domain/usernames, and will
eventually created Groups.

This is working well for all users, except one. Although my application is
correctly identifying this user with the correct domain/username, the
isinrole call returns false.

My code is below:

from the .aspx.cs:

private void Page_Load(object sender, System.EventArgs e)
{
if (!((Security)(Application["security"])).userInRole("edit",
HttpContext.Current.User))
edit = false;
else
edit = true;


}

This code is from a C# object (called "Security") and is called from the
page above:


public Boolean userInRole(String role, IPrincipal principal)
{
Boolean inRole = false;

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);

//get users from hashtable
String[] users = (String[])securityRolesMap[role];

//loop through users to see is the current user matches

for(int i=0;i< users.Length;i++)
{
String user = users;
if (principal.IsInRole(users.ToLower()))
{
inRole = true;
break;
}
}

return inRole;

}


Any ideas why this would work okay for everyone except one user?


[microsoft.public.dotnet.framework.aspnet.security]
 
P

petersonrj

Dominick,

Thanks for the information on SetPrincipalPolicy method. I removed that
from my code.

The userInRole method that I created is intended to be a reusable method
throughout my application, as I need this functionality in multiple places.
So, I really am just calling User.IsInRole("role") since User is an
IPrincipal.

For the user for which the call wasn't working, I created an AD group and
added them as a member. The isInRole works fine for that user when comparing
to a group, just not against their user id. I'm still not sure why, but at
least I've got the app working.

Thanks for your help!


Dominick Baier said:
Hi,

i must admin - i don't really understand your logic.

why don't you just call User.IsInRole("role"); ???

another note - the documentation states that your are only allowed to call SetPrincipalPolicy once per AppDomain - maybe something is wrong here...

You only have to call SetPrincipalPolicy if no plumbing has populated Thread.CurrentPrincipal for you (e.g. in a console / winforms app) - but ASP.NET does that.



---
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<[email protected]>

I have an ASP.NET/C# application in which I verify that the current user is a
member of a list of roles before giving them access to particular functions
of the application (read vs update). I am using the IsInRole method of the
IPrincipal object to check for role membership. Currently, I am just
checking the domain/username against a list of domain/usernames, and will
eventually created Groups.

This is working well for all users, except one. Although my application is
correctly identifying this user with the correct domain/username, the
isinrole call returns false.

My code is below:

from the .aspx.cs:

private void Page_Load(object sender, System.EventArgs e)
{
if (!((Security)(Application["security"])).userInRole("edit",
HttpContext.Current.User))
edit = false;
else
edit = true;


}

This code is from a C# object (called "Security") and is called from the
page above:


public Boolean userInRole(String role, IPrincipal principal)
{
Boolean inRole = false;

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);

//get users from hashtable
String[] users = (String[])securityRolesMap[role];

//loop through users to see is the current user matches

for(int i=0;i< users.Length;i++)
{
String user = users;
if (principal.IsInRole(users.ToLower()))
{
inRole = true;
break;
}
}

return inRole;

}


Any ideas why this would work okay for everyone except one user?


[microsoft.public.dotnet.framework.aspnet.security]
 
P

Patrick.O.Ige

Have u set ur IIS settings..
Go the Virtual Directory ur aplication is on IIS and clear the check box
Anonymous Access

petersonrj said:
Dominick,

Thanks for the information on SetPrincipalPolicy method. I removed that
from my code.

The userInRole method that I created is intended to be a reusable method
throughout my application, as I need this functionality in multiple places.
So, I really am just calling User.IsInRole("role") since User is an
IPrincipal.

For the user for which the call wasn't working, I created an AD group and
added them as a member. The isInRole works fine for that user when comparing
to a group, just not against their user id. I'm still not sure why, but at
least I've got the app working.

Thanks for your help!
call SetPrincipalPolicy once per AppDomain - maybe something is wrong
here...Thread.CurrentPrincipal for you (e.g. in a console / winforms app) - but
ASP.NET does that.
nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/
I have an ASP.NET/C# application in which I verify that the current user is a
member of a list of roles before giving them access to particular functions
of the application (read vs update). I am using the IsInRole method of the
IPrincipal object to check for role membership. Currently, I am just
checking the domain/username against a list of domain/usernames, and will
eventually created Groups.

This is working well for all users, except one. Although my application is
correctly identifying this user with the correct domain/username, the
isinrole call returns false.

My code is below:

from the .aspx.cs:

private void Page_Load(object sender, System.EventArgs e)
{
if (!((Security)(Application["security"])).userInRole("edit",
HttpContext.Current.User))
edit = false;
else
edit = true;


}

This code is from a C# object (called "Security") and is called from the
page above:


public Boolean userInRole(String role, IPrincipal principal)
{
Boolean inRole = false;
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal)
;
//get users from hashtable
String[] users = (String[])securityRolesMap[role];

//loop through users to see is the current user matches

for(int i=0;i< users.Length;i++)
{
String user = users;
if (principal.IsInRole(users.ToLower()))
{
inRole = true;
break;
}
}

return inRole;

}


Any ideas why this would work okay for everyone except one user?


[microsoft.public.dotnet.framework.aspnet.security]
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,995
Messages
2,570,226
Members
46,815
Latest member
treekmostly22

Latest Threads

Top