Security Exception

[Jason]

Hi

I have a ASP.NET application where i would like to authenticate the
connecting users according to the Local Users and Groups on the web server.
I have the following code in the ASP.NET project.

private static void Demand(string[] groups)
{
WindowsIdentity processIdentity = WindowsIdentity.GetCurrent();
Console.WriteLine(processIdentity.Name);

IPermission permission = null;
foreach(string strGroup in groups)
{
string strDomainAndGroup = strGroup;
if(strGroup.IndexOf ('\\') == -1)
{
strDomainAndGroup = Environment.MachineName + "\\" + strGroup;
}



if(permission == null)
{
permission = new PrincipalPermission(null, strDomainAndGroup);
}
else
{
permission = permission.Union(new PrincipalPermission(null,
strDomainAndGroup));
}
}

if(permission != null)
{
permission.Demand();

// Revert to self, so that all actions now happen as the
// process user, not as the impersonated user.
Win32.AdvApi.RevertToSelf();

}
}



but i get the following error when i hit the "permission.Demand();" line

Security Exception
Description: The application attempted to perform an operation not allowed
by the security policy. To grant this application the required permission
please contact your system administrator or change the application's trust
level in the configuration file.

Exception Details: System.Security.SecurityException: Request for principal
permission failed.

I know it says i must change the application's trust level. but i dont know
how to do this? someone have an example? or a solution to my problem even?
it would be much appreciated... thanks.

Jason

 

[Chris R. Timmons]

Hi

I have a ASP.NET application where i would like to authenticate
the connecting users according to the Local Users and Groups on
the web server. I have the following code in the ASP.NET
project.

private static void Demand(string[] groups)
{
WindowsIdentity processIdentity =
WindowsIdentity.GetCurrent();
Console.WriteLine(processIdentity.Name);

IPermission permission = null;
foreach(string strGroup in groups)
{
string strDomainAndGroup = strGroup;
if(strGroup.IndexOf ('\\') == -1)
{
strDomainAndGroup = Environment.MachineName + "\\" +
strGroup;
}



if(permission == null)
{
permission = new PrincipalPermission(null,
strDomainAndGroup);
}
else
{
permission = permission.Union(new PrincipalPermission(null,
strDomainAndGroup));
}
}

if(permission != null)
{
permission.Demand();

// Revert to self, so that all actions now happen as the
// process user, not as the impersonated user.
Win32.AdvApi.RevertToSelf();

}
}



but i get the following error when i hit the
"permission.Demand();" line

Security Exception
Description: The application attempted to perform an operation
not allowed by the security policy. To grant this application
the required permission please contact your system administrator
or change the application's trust level in the configuration
file.

Exception Details: System.Security.SecurityException: Request
for principal permission failed.

I know it says i must change the application's trust level. but
i dont know how to do this? someone have an example? or a
solution to my problem even? it would be much appreciated...
thanks.

Jason,

I think you may have the wrong impression as to what the
Demand() method does.

Demand() is not a "demand" in the sense that your code is
demanding to be given a permission. There is no way for
code to grant itself more permissions that it was granted
by the security policies set by the administrator.
Demand() is "demanding" that .Net verify a certain state is
true. In this case, the state to be verified is whether
or not the role and ID of the PrincipalPermission match
the role and ID of the current thread's principal.
You are getting an exception because one or more of
your groups is not in the list of roles of the current
thread's principal.

http://msdn.microsoft.com/library/d...ypermissionsprincipalpermissionclasstopic.asp

or

http://tinyurl.com/7xpds

You could change your void method Demand to a boolean method
called IsAuthenticated. Wrap the permission.Demand() call
in a try/catch block, and return false from the catch block.
Return true if no exceptions occur.

You also appear to be doing some kind of identity impersonation
through the Windows API. (Note that Demand() does not have anything
to do with impersonation). Managed wrappers for this functionality
are provided in the .Net framework.

http://msdn.microsoft.com/library/d...ry/en-us/cpguide/html/cpconaspnetdataflow.asp

or

http://tinyurl.com/4pu4a

There are also many messages in Google Groups and pages in the
regular Google search engine relating to ASP.Net impersonation.