Search code examples
wcfauthorizationroleproviderprincipalpermission

WCF: Custom RoleProvider with PrincipalPermissions: Doesn't appear to get hit / how to debug it?

I have a custom role provider that inherits off RoleProvider. In the web app this works fine with no problems.

However I am also using it in the WCF service and am having great problems stepping into it. to the extent that I suspect it isn't being hit at all. If I turn on any principal permissions at all I get access denied and the stack trace is totally unhelpful. even the WCF traces arnt really helpful in ascertaining what has happened.

I know that the TennisRoleProvider works off its default constructor and have verified its methods via test. It seems to be an integration issue.

So snippets ...

EDIT: I have since moved the role provider into the service assembly as read something about needing to involve GAK and keys (needs to run in full trust). I went down that path but things still didnt work so decided to simply move stuff into the service project to simplify. Still no joy. 

<roleManager defaultProvider="TennisRoleProvider"
             enabled="true"
             >
  <providers>
    <clear/>
    <add name="TennisRoleProvider"
         type="Tennis.Security.TennisRoleProvider, Tennis.Security" />
  </providers>
</roleManager>

   <bindings>
     <wsHttpBinding>
        <binding name="wsHttpUserName">
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="UserName"/>
            <transport clientCredentialType="None"/>
          </security>
        </binding>
     </wsHttpBinding>
   <bindings/>


    <behavior name="RoleBehavior">
       <serviceCredentials>
         <serviceCertificate findValue="john-pc"
                      storeLocation="LocalMachine"
                      storeName="My"
                      x509FindType="FindBySubjectName"/>
       <userNameAuthentication userNamePasswordValidationMode="Custom" 
customUserNamePasswordValidatorType="Tennis.Components.TennisUserValidator, Tennis.Components"/>
      </serviceCredentials>

      <serviceAuthorization principalPermissionMode="UseAspNetRoles" 
                            roleProviderName="TennisRoleProvider">
      </serviceAuthorization>

      <serviceMetadata httpsGetEnabled="true"/>
      <serviceDebug includeExceptionDetailInFaults="true"/>
      <errorHandler />
    </behavior>

   <services>
      <service name="Tennis.Service.Services"
               behaviorConfiguration="RoleBehavior">
          <endpoint address="Family"
                 binding="wsHttpBinding"
                 bindingConfiguration="wsHttpUserName"
                 contract="Tennis.Service.Contracts.IFamilyAdmin"
                  />
      </service>
    </services>

Then on the service method i have the following (Roles.Family admin is a string)

[PrincipalPermission(SecurityAction.Demand, Name = Roles.FamilyAdmin)]
public VoidResult<SuccessEnum> UpdateFamily(Family family)
{

}

so there are 2 questions ... 1) what have I done wrong? 2) How can I get into WCF to figure out exactly what is going wrong?

Cheers

The stack trace for the error in the logs is as follows Note the permission in there is a different to the one I used above (Namley 'authorised' instead of 'FamilyAdmin'. However In the real thing those values match and the user has the correct permissions.

<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
<System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
<EventID>131076</EventID>
<Type>3</Type>
<SubType Name="Warning">0</SubType>
<Level>4</Level>
<TimeCreated SystemTime="2012-06-29T12:45:30.2469191Z" />
<Source Name="System.ServiceModel" />
<Correlation ActivityID="{6e59b4f4-d59b-42eb-ad8e-4d5853f72900}" />
<Execution ProcessName="w3wp" ProcessID="9388" ThreadID="18" />
<Channel />
<Computer>JOHNN-PC</Computer>
</System>
<ApplicationData>
<TraceData>
<DataItem>
<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning">
<TraceIdentifier>http://msdn.microsoft.com/en-GB/library/System.ServiceModel.Diagnostics.TraceHandledException.aspx</TraceIdentifier>
<Description>Handling an exception.</Description>
<AppDomain>/LM/W3SVC/2/ROOT/Tennis-1-129854474506679191</AppDomain>
<Exception>
<ExceptionType>System.Security.SecurityException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Request for principal permission failed.</Message>
<StackTrace>
at System.Security.Permissions.PrincipalPermission.ThrowSecurityException()
at System.Security.Permissions.PrincipalPermission.Demand()
at System.Security.PermissionSet.DemandNonCAS()
at Nomical.Tennis.Service.Services.GetBookingsForUser(DateTime start, DateTime end) in c:\tfs\Tennis\TennisSolution\TennisCourts\Services.svc.cs:line 388
at SyncInvokeGetBookingsForUser(Object , Object[] , Object[] )
at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp; outputs)
</StackTrace>
<ExceptionString>System.Security.SecurityException: Request for principal permission failed.
   at System.Security.Permissions.PrincipalPermission.ThrowSecurityException()
   at System.Security.Permissions.PrincipalPermission.Demand()
   at System.Security.PermissionSet.DemandNonCAS()
   at Tennis.Service.Services.GetBookingsForUser(DateTime start, DateTime end) in c:\tfs\Tennis\TennisSolution\TennisCourts\Services.svc.cs:line 388
   at SyncInvokeGetBookingsForUser(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp; outputs)
The action that failed was:
Demand
The type of the first permission that failed was:
System.Security.Permissions.PrincipalPermission
The first permission that failed was:
&lt;IPermission class="System.Security.Permissions.PrincipalPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"&gt;
&lt;Identity Authenticated="true"
ID="Authorised"/&gt;
&lt;/IPermission&gt;

The demand was for:
&lt;IPermission class="System.Security.Permissions.PrincipalPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"&gt;
&lt;Identity Authenticated="true"
ID="Authorised"/&gt;
&lt;/IPermission&gt;

The assembly or AppDomain that failed was:
mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionString>
</Exception>
</TraceRecord>
</DataItem>
</TraceData>
</ApplicationData>
</E2ETraceEvent>

EDIT: Based on the answer below I added a few lines of code into the constructor - which whilst they don't achieve anything encouraged me to interrogate the thread static class.

EDIT: given a question about logs updated log to show that it is indeed from the log - or I am confused ;)

The TennisRoleProvider is referenced by it in its non public members - moreover when I overrode Name to make it return something I would recognise this was returned by it.

Solution

  • The problem was that I am using security across assemblies / app domains.

    I need to make everything trusted and signed for it to work.