I have a wcf 4.0 service , I am running it locally in IIS express and am using azman to manage security. I am able to use the declarative syntax to secure the services, and prevent class instantiation in a class library. However when I decorate a method in the class it has no effect.
[PrincipalPermission(SecurityAction.Demand, Role = "AdminRole")] //THIS WORKS
public class MaintainUser
{
[PrincipalPermission(SecurityAction.Demand, Role = "CreateNewUserx")] //THIS DOES NOT WORK
public void CreateNewUser()
{
if (ViterraSecurity.VerifyAccess.HasOperation("CreateNewUserx", ViterraSecurity.VerifyAccess.BasisOperations.CreatUser))
{
return;
}
throw new AccessViolationException("CreateNewUser");
}
}
Is it possible to enable security checks on methods?
I'm guessing that CreateNewUserx is an operation or task in AzMan, not a role. AuthorizationStoreRoleProvider
only recognizes AzMan roles, and PrincipalPermission only checks the roles exposed by an IPrincipal. However, this is a bit of a backwards way of using AzMan, since the main point of an operations-based authorization mechanism is to allow roles to be user-configurable and allow the application to only worry about operations.
I would recommend scrapping your demands for roles in favour of demanding only operation permissions. With such an approach, you would need to change either your permission (and attribute) or your principal implementation, or both to be aware of AzMan operations.