If you use windows groups for authorization, use ASP.NET Role Provider with AspNetWindowsTokenRoleProvider

J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen.

If you use windows groups for authorization, consider using ASP.NET Role Provider with AspNetWindowsTokenRoleProvider name. This allows you to separate the design of the authorization from the implementation inside your service. If you decide to change the role provider, it will not affect the code needed to perform the authorization. Also consider using imperative checks using the role manager API instead of performing authorization checks with WindowsPrincipal.IsInrole.

The following configuration example shows how to configure AspNetWindowsTokenRoleProvider:

Enable the role manager and configure to use the default AspNetWindowsTokenRoleProvider
<system.web>
…
<roleManager enabled="true"
             defaultProvider="AspNetWindowsTokenRoleProvider" />
…
</system.web>

Configure the service behavior to use ASPNetRoles and the role provider.
….
<behaviors>
    <serviceBehaviors>
        <behavior name="BehaviorConfiguration">
            <serviceAuthorization principalPermissionMode="UseAspNetRoles"
                roleProviderName=" AspNetWindowsTokenRoleProvider " />
            <serviceMetadata />
        </behavior>
    </serviceBehaviors>
</behaviors>
….

The following code shows how to do the authorization check in code, using Role Manager API:
if (Roles.IsUserInRole(@"accounting"))
{
//authorized
}
else
{
//authorization failed

}

Last edited Apr 23, 2008 at 11:30 PM by prashantbansode, version 2

Comments

No comments yet.