description | title | ms.date | dev_langs | helpviewer_keywords | ms.assetid | |||||
---|---|---|---|---|---|---|---|---|---|---|
Learn more about: How to: Restrict Access with the PrincipalPermissionAttribute Class |
How to: Restrict Access with the PrincipalPermissionAttribute Class |
03/30/2017 |
|
|
5162f5c4-8781-4cc4-9425-bb7620eaeaf4 |
Controlling the access to resources on a Windows-domain computer is a basic security task. For example, only certain users should be able to view sensitive data, such as payroll information. This topic explains how to restrict access to a method by demanding that the user belong to a predefined group. For a working sample, see Authorizing Access to Service Operations.
The task consists of two separate procedures. The first creates the group and populates it with users. The second applies the xref:System.Security.Permissions.PrincipalPermissionAttribute class to specify the group.
-
Open the Computer Management console.
-
In the left panel, click Local Users and Groups.
-
Right-click Groups, and click New Group.
-
In the Group Name box, type a name for the new group.
-
In the Description box, type a description of the new group.
-
Click the Add button to add new members to the group.
-
If you have added yourself to the group and want to test the following code, you must log off the computer and log back on to be included in the group.
-
Open the Windows Communication Foundation (WCF) code file that contains the implemented service contract code. For more information about implementing a contract, see Implementing Service Contracts.
-
Apply the xref:System.Security.Permissions.PrincipalPermissionAttribute attribute to each method that must be restricted to a specific group. Set the xref:System.Security.Permissions.SecurityAttribute.Action%2A property to xref:System.Security.Permissions.SecurityAction.Demand and the xref:System.Security.Permissions.PrincipalPermissionAttribute.Role%2A property to the name of the group. For example:
[!code-csharpc_PrincipalPermissionAttribute#1] [!code-vbc_PrincipalPermissionAttribute#1]
[!NOTE] If you apply the xref:System.Security.Permissions.PrincipalPermissionAttribute attribute to a contract a xref:System.Security.SecurityException will be thrown. You can only apply the attribute at the method level.
You can also use the PrincipalPermissionAttribute
class to control access to a method if the client credential type is a certificate. To do this, you must have the certificate's subject and thumbprint.
To examine a certificate for its properties, see How to: View Certificates with the MMC Snap-in. To find the thumbprint value, see How to: Retrieve the Thumbprint of a Certificate.
-
Apply the xref:System.Security.Permissions.PrincipalPermissionAttribute class to the method you want to restrict access to.
-
Set the action of the attribute to xref:System.Security.Permissions.SecurityAction.Demand?displayProperty=nameWithType.
-
Set the
Name
property to a string that consists of the subject name and the certificate's thumbprint. Separate the two values with a semicolon and a space, as shown in the following example:[!code-csharpc_PrincipalPermissionAttribute#2] [!code-vbc_PrincipalPermissionAttribute#2]
-
Set the xref:System.ServiceModel.Description.ServiceAuthorizationBehavior.PrincipalPermissionMode%2A property to xref:System.ServiceModel.Description.PrincipalPermissionMode.UseAspNetRoles as shown in the following configuration example:
<behaviors> <serviceBehaviors> <behavior name="SvcBehavior1"> <serviceAuthorization principalPermissionMode="UseAspNetRoles" /> </behavior> </serviceBehaviors> </behaviors>
Setting this value to
UseAspNetRoles
indicates that theName
property of thePrincipalPermissionAttribute
will be used to perform a string comparison. When a certificate is used as a client credential, by default WCF concatenates the certificate common name and the thumbprint with a semicolon to create a unique value for the client's primary identity. WithUseAspNetRoles
set as thePrincipalPermissionMode
on the service, this primary identity value is compared with theName
property value to determine the access rights of the user.Alternatively, when creating a self-hosted service, set the xref:System.ServiceModel.Description.ServiceAuthorizationBehavior.PrincipalPermissionMode%2A property in code as shown in the following code:
[!code-csharpc_PrincipalPermissionAttribute#3] [!code-vbc_PrincipalPermissionAttribute#3]
- xref:System.Security.Permissions.PrincipalPermissionAttribute
- xref:System.Security.Permissions.SecurityAction.Demand
- xref:System.Security.Permissions.PrincipalPermissionAttribute.Role%2A
- Authorizing Access to Service Operations
- Security Overview
- Implementing Service Contracts