isInRole doesn't work for one user, but works for everyone else

[petersonrj]

I have an ASP.NET/C# application in which I verify that the current user is a
member of a list of roles before giving them access to particular functions
of the application (read vs update). I am using the IsInRole method of the
IPrincipal object to check for role membership. Currently, I am just
checking the domain/username against a list of domain/usernames, and will
eventually created Groups.

This is working well for all users, except one. Although my application is
correctly identifying this user with the correct domain/username, the
isinrole call returns false.

My code is below:

from the .aspx.cs:

private void Page_Load(object sender, System.EventArgs e)
{
if (!((Security)(Application["security"])).userInRole("edit",
HttpContext.Current.User))
edit = false;
else
edit = true;


}

This code is from a C# object (called "Security") and is called from the
page above:


public Boolean userInRole(String role, IPrincipal principal)
{
Boolean inRole = false;

AppDomain.CurrentDomain.SetPrincipalPolicy(Princip alPolicy.WindowsPrincipal);

//get users from hashtable
String[] users = (String[])securityRolesMap[role];

//loop through users to see is the current user matches

for(int i=0;i< users.Length;i++)
{
String user = users[i];
if (principal.IsInRole(users[i].ToLower()))
{
inRole = true;
break;
}
}

return inRole;

}


Any ideas why this would work okay for everyone except one user?

[Dominick Baier]

Hi,

i must admin - i don't really understand your logic.

why don't you just call User.IsInRole("role"); ???

another note - the documentation states that your are only allowed to call SetPrincipalPolicy once per AppDomain - maybe something is wrong here...

You only have to call SetPrincipalPolicy if no plumbing has populated Thread.CurrentPrincipal for you (e.g. in a console / winforms app) - but ASP.NET does that.



---
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]

nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<4DACDDCC-5AC0-495A-A583-C44B3F8CC6FE@microsoft.com>

I have an ASP.NET/C# application in which I verify that the current user is a
member of a list of roles before giving them access to particular functions
of the application (read vs update). I am using the IsInRole method of the
IPrincipal object to check for role membership. Currently, I am just
checking the domain/username against a list of domain/usernames, and will
eventually created Groups.

This is working well for all users, except one. Although my application is
correctly identifying this user with the correct domain/username, the
isinrole call returns false.

My code is below:

from the .aspx.cs:

private void Page_Load(object sender, System.EventArgs e)
{
if (!((Security)(Application["security"])).userInRole("edit",
HttpContext.Current.User))
edit = false;
else
edit = true;


}

This code is from a C# object (called "Security") and is called from the
page above:


public Boolean userInRole(String role, IPrincipal principal)
{
Boolean inRole = false;

AppDomain.CurrentDomain.SetPrincipalPolicy(Princip alPolicy.WindowsPrincipal);

//get users from hashtable
String[] users = (String[])securityRolesMap[role];

//loop through users to see is the current user matches

for(int i=0;i< users.Length;i++)
{
String user = users[i];
if (principal.IsInRole(users[i].ToLower()))
{
inRole = true;
break;
}
}

return inRole;

}


Any ideas why this would work okay for everyone except one user?


[microsoft.public.dotnet.framework.aspnet.security]

[petersonrj]

Dominick,

Thanks for the information on SetPrincipalPolicy method. I removed that
from my code.

The userInRole method that I created is intended to be a reusable method
throughout my application, as I need this functionality in multiple places.
So, I really am just calling User.IsInRole("role") since User is an
IPrincipal.

For the user for which the call wasn't working, I created an AD group and
added them as a member. The isInRole works fine for that user when comparing
to a group, just not against their user id. I'm still not sure why, but at
least I've got the app working.

Thanks for your help!


"Dominick Baier" wrote:

> Hi,
>
> i must admin - i don't really understand your logic.
>
> why don't you just call User.IsInRole("role"); ???
>
> another note - the documentation states that your are only allowed to call SetPrincipalPolicy once per AppDomain - maybe something is wrong here...
>
> You only have to call SetPrincipalPolicy if no plumbing has populated Thread.CurrentPrincipal for you (e.g. in a console / winforms app) - but ASP.NET does that.
>
>
>
> ---
> Dominick Baier - DevelopMentor
> [url]http://www.leastprivilege.com[/url]
>
> nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<4DACDDCC-5AC0-495A-A583-C44B3F8CC6FE@microsoft.com>
>
> I have an ASP.NET/C# application in which I verify that the current user is a
> member of a list of roles before giving them access to particular functions
> of the application (read vs update). I am using the IsInRole method of the
> IPrincipal object to check for role membership. Currently, I am just
> checking the domain/username against a list of domain/usernames, and will
> eventually created Groups.
>
> This is working well for all users, except one. Although my application is
> correctly identifying this user with the correct domain/username, the
> isinrole call returns false.
>
> My code is below:
>
> from the .aspx.cs:
>
> private void Page_Load(object sender, System.EventArgs e)
> {
> if (!((Security)(Application["security"])).userInRole("edit",
> HttpContext.Current.User))
> edit = false;
> else
> edit = true;
>
>
> }
>
> This code is from a C# object (called "Security") and is called from the
> page above:
>
>
> public Boolean userInRole(String role, IPrincipal principal)
> {
> Boolean inRole = false;
>
> AppDomain.CurrentDomain.SetPrincipalPolicy(Princip alPolicy.WindowsPrincipal);
>
> //get users from hashtable
> String[] users = (String[])securityRolesMap[role];
>
> //loop through users to see is the current user matches
>
> for(int i=0;i< users.Length;i++)
> {
> String user = users[i];
> if (principal.IsInRole(users[i].ToLower()))
> {
> inRole = true;
> break;
> }
> }
>
> return inRole;
>
> }
>
>
> Any ideas why this would work okay for everyone except one user?
>
>
> [microsoft.public.dotnet.framework.aspnet.security]
>

[Patrick.O.Ige]

Have u set ur IIS settings..
Go the Virtual Directory ur aplication is on IIS and clear the check box
Anonymous Access

"petersonrj" <petersonrj@discussions.microsoft.com> wrote in message
news:B5C2F563-B837-4B06-9D1F-680BBE8CD7FD@microsoft.com...

> Dominick,
>
> Thanks for the information on SetPrincipalPolicy method. I removed that
> from my code.
>
> The userInRole method that I created is intended to be a reusable method
> throughout my application, as I need this functionality in multiple

places.

> So, I really am just calling User.IsInRole("role") since User is an
> IPrincipal.
>
> For the user for which the call wasn't working, I created an AD group and
> added them as a member. The isInRole works fine for that user when

comparing

> to a group, just not against their user id. I'm still not sure why, but

at

> least I've got the app working.
>
> Thanks for your help!
>
>
> "Dominick Baier" wrote:
>

> > Hi,
> >
> > i must admin - i don't really understand your logic.
> >
> > why don't you just call User.IsInRole("role"); ???
> >
> > another note - the documentation states that your are only allowed to

call SetPrincipalPolicy once per AppDomain - maybe something is wrong
here...

> >
> > You only have to call SetPrincipalPolicy if no plumbing has populated

Thread.CurrentPrincipal for you (e.g. in a console / winforms app) - but
ASP.NET does that.

> >
> >
> >
> > ---
> > Dominick Baier - DevelopMentor
> > [url]http://www.leastprivilege.com[/url]
> >
> >

nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/
<4DACDDCC-5AC0-495A-A583-C44B3F8CC6FE@microsoft.com>

> >
> > I have an ASP.NET/C# application in which I verify that the current

user is a

> > member of a list of roles before giving them access to particular

functions

> > of the application (read vs update). I am using the IsInRole method of

the

> > IPrincipal object to check for role membership. Currently, I am just
> > checking the domain/username against a list of domain/usernames, and

will

> > eventually created Groups.
> >
> > This is working well for all users, except one. Although my application

is

> > correctly identifying this user with the correct domain/username, the
> > isinrole call returns false.
> >
> > My code is below:
> >
> > from the .aspx.cs:
> >
> > private void Page_Load(object sender, System.EventArgs e)
> > {
> > if (!((Security)(Application["security"])).userInRole("edit",
> > HttpContext.Current.User))
> > edit = false;
> > else
> > edit = true;
> >
> >
> > }
> >
> > This code is from a C# object (called "Security") and is called from

the

> > page above:
> >
> >
> > public Boolean userInRole(String role, IPrincipal principal)
> > {
> > Boolean inRole = false;
> >
> >

AppDomain.CurrentDomain.SetPrincipalPolicy(Princip alPolicy.WindowsPrincipal)
;

> >
> > //get users from hashtable
> > String[] users = (String[])securityRolesMap[role];
> >
> > //loop through users to see is the current user matches
> >
> > for(int i=0;i< users.Length;i++)
> > {
> > String user = users[i];
> > if (principal.IsInRole(users[i].ToLower()))
> > {
> > inRole = true;
> > break;
> > }
> > }
> >
> > return inRole;
> >
> > }
> >
> >
> > Any ideas why this would work okay for everyone except one user?
> >
> >
> > [microsoft.public.dotnet.framework.aspnet.security]
> >