I am trying to work out why attribute based security isn't working as I'd expect in WCF and I suspect it might have something to do with the following:
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
var identity = new WindowsIdentity("ksarfo");
var principal = new WindowsPrincipal(identity);
Console.WriteLine("\nChecking whether current user [" + identity.Name + "] is member of [" + groupName + "]");
Console.WriteLine(principal.IsInRole(groupName)); // returns true
principal = (WindowsPrincipal)Thread.CurrentPrincipal;
identity = (WindowsIdentity) principal.Identity;
Console.WriteLine("\nChecking whether current user [" + identity.Name + "] is member of [" + groupName + "]");
Console.WriteLine(principal.IsInRole(groupName)); // returns false
I don't understand why the results differ for the function call:
principal.IsInRole(groupName)
For the sake of completeness the point at which the code actually fails is here:
PrincipalPermission(SecurityAction.Demand, Role = "PortfolioManager")]
Maybe it's because this is not the same classes.
Look at MSDN :
So, if there are differents classes, maybe there are differents implementations.
EDIT :
I have try this code :
public class InGroup
{
public string Name { get; set; }
public bool Current { get; set; }
public bool Fixe { get; set; }
public bool Thread { get; set; }
}
WindowsIdentity current = System.Security.Principal.WindowsIdentity.GetCurrent();
WindowsPrincipal principalcurrent = new WindowsPrincipal(current);
WindowsIdentity fixe = new WindowsIdentity("JW2031");
WindowsPrincipal principalFixe = new WindowsPrincipal(fixe);
IPrincipal principalThread = System.Threading.Thread.CurrentPrincipal;
List<InGroup> ingroups = new List<InGroup>();
foreach (IdentityReference item in current.Groups)
{
IdentityReference reference = item.Translate(typeof(NTAccount));
Console.WriteLine("{0}\t{1}\t{2}\t{3}",
reference.Value,
principalcurrent.IsInRole(reference.Value),
principalFixe.IsInRole(reference.Value),
principalThread.IsInRole(reference.Value));
ingroups.Add(new InGroup()
{
Name = reference.Value,
Current = principalcurrent.IsInRole(reference.Value),
Fixe = principalFixe.IsInRole(reference.Value),
Thread = principalThread.IsInRole(reference.Value)
});
}
foreach (IdentityReference item in fixe.Groups)
{
IdentityReference reference = item.Translate(typeof(NTAccount));
if (ingroups.FindIndex(g => g.Name == reference.Value) == -1)
{
ingroups.Add(new InGroup()
{
Name = reference.Value,
Current = principalcurrent.IsInRole(reference.Value),
Fixe = principalFixe.IsInRole(reference.Value),
Thread = principalThread.IsInRole(reference.Value)
});
Console.WriteLine("{0}\t{1}\t{2}\t{3}",
reference.Value,
principalcurrent.IsInRole(reference.Value),
principalFixe.IsInRole(reference.Value),
principalThread.IsInRole(reference.Value));
}
}
And here is the result
As you can see, I did not have the same groups with differents ways. So (because I'm administrator of my local machine) I think that WindowsIdentity.GetCurrent will get the user from AD and WindowsPrincipal(WindowsIdentity("")) will get the user from local machine.
In my webapp, I have got the lowest authorisation possible (I think). But, I have no explanations for the consoleapp...
It's only suppositions, but this is coherent.
