Results 1 to 9 of 9

Thread: Roles from ASP.NET to COM+

  1. #1

    Thread Starter
    New Member
    Join Date
    Sep 2000
    Posts
    11

    Roles from ASP.NET to COM+

    Hi,

    I wish to keep my users and roles in a database and use forms authentication to check the credentials of the user. If the credentials are OK, I wish to create a new GenericPrincipal and assign role names based on the users roles stored in the database. I then assign the new GenericPrincipal to the Context.User.

    I was then hoping that calls into .NET assemblies in COM+ would pick up on the callers roles that were set against the GenericPrincipal in my ASP.NET page. The roles used in COM+ match those of the database. But COM+ detects machinename/ASPNET as the identity, not that of the GenericPrincipal, and errors with 'Access Denied'.

    I have set basic and windows authentication 'off', and anonymous to 'on'. COM+ has 'Enforce access checks' and 'Perform checks at Process and Component Level'.

    Does anyone know how to get the Principal I have set on my ASP.NET logon page to authenticate through to COM+? Any answers much appreciated.

    Cheers,
    RC

  2. #2
    Banished Cander's Avatar
    Join Date
    Dec 2000
    Location
    Why do you care?
    Posts
    6,913
    I don't have examples currently, but I would look into Impersonation. You can impersonate the Principal you specifiy when you run the COM+ object in ASP.NET code. Then you can revert back to being the ASPNET user when done.
    Stack Overflow
    See the features of Visual Studio 2010 and C# 4.0: The 10-4 show on Channel9

  3. #3

    Thread Starter
    New Member
    Join Date
    Sep 2000
    Posts
    11
    Hi Cander

    Thanks for the quick reply.

    I did think about setting <identity impersonate="true" /> in the config, but then it kept asking me for a Windows domain logon. As our users are kept in the database, I could not set this. I could alternatively set the request to run under a windows account but this is not want I am trying to do - I want the principal I set in code to be used, not a dummy windows account.

    Do you have any ideas on how I can impersonate the generic principal in code. Alternatively, any other ideas?

    Thanks,
    RC

  4. #4
    Banished Cander's Avatar
    Join Date
    Dec 2000
    Location
    Why do you care?
    Posts
    6,913
    You can do this in code and specifically specify what role you want to use, not just use the Web.config. Like I said, I dont have an example, but I am sure that will do what you need. Basically it work something like

    ImperonateRole("Admin")
    myObj = New Comobject.Class


    thats obviously int the right code, but it should give you an ideas as to what you cand do with Impersonation.
    Stack Overflow
    See the features of Visual Studio 2010 and C# 4.0: The 10-4 show on Channel9

  5. #5
    Banished Cander's Avatar
    Join Date
    Dec 2000
    Location
    Why do you care?
    Posts
    6,913
    Stack Overflow
    See the features of Visual Studio 2010 and C# 4.0: The 10-4 show on Channel9

  6. #6
    Your Ad Here! Edneeis's Avatar
    Join Date
    Feb 2000
    Location
    Moreno Valley, CA (SoCal)
    Posts
    7,339
    I still you may still have the problem though unless the users and roles in the database match actual windows accounts. See the trouble is that the process is running under ASPNET's user account. As Cander said you can impersonate another windows user account with a different set of permissions but if the database user/roles aren't actual windows accounts then it still wont work. Then if they ARE actual windows accounts then there shouldn't be any need to have them in a database. You could use a group or groups to set permissions and then check that against their actual windows account.

  7. #7

    Thread Starter
    New Member
    Join Date
    Sep 2000
    Posts
    11
    The problem is that we would have to have many different windows groups to reflect the different types in our application. I could have, say, 10 different windows groups to match the different roles that we will be using in our application, and then impersonate each role to a matching windows group. That seems pretty unmanageable.

    Reading the link at the bottom of the page led me to think that COM+ would be able to check the roles on the user. COM+ itself implements roles differently to Windows accounts. If it is only ASPNET that will impersonate through to COM+, what are the alternative approaches? How have others gone about implementing forms authentication and setting different role permissions on COM assemblies?

    RC

    Link to info:
    http://groups.google.com/groups?hl=e...ublic.dotnet.*

  8. #8
    Your Ad Here! Edneeis's Avatar
    Join Date
    Feb 2000
    Location
    Moreno Valley, CA (SoCal)
    Posts
    7,339
    Maybe I'm wrong on this one I'm not that familiar with how COM+ uses roles. Hopefully I am wrong.

    I haven't had to do a lot of Impersonation yet and aren't currently using any COM+ objects in my .NET projects, but I just check the current user's roles for whatever security I need based on groups in their windows account.

  9. #9

    Thread Starter
    New Member
    Join Date
    Sep 2000
    Posts
    11
    Maybe I'm wrong on this one I'm not that familiar with how COM+ uses roles. Hopefully I am wrong.

    I haven't had to do a lot of Impersonation yet and aren't currently using any COM+ objects in my .NET projects, but I just check the current user's roles for whatever security I need based on groups in their windows account

    Unfortunately Edneeis, I think you are correct!

    COM+ roles are kept seperate from Windows accounts and groups. But COM+ does allow different Windows accounts and groups to be added to a COM+ defined role.

    What I was hoping that is COM+ would also check the role of the originalCaller to see if access should be allowed. But ASPNET process overrides the GeneralPrincipal I have set . Because I am using application users and roles, I cannot use Windows accounts...which makes COM+ role security a little limited.

    What I could do would be to create a different user for each role in my system, and match up the roles in my DB with the Windows roles...which isn't my ideal solution.

    Anyone else have any good ideas?

    Thanks,
    RC

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width