If You Use Windows Groups for Authorization, use ASP.NET Role Provider with AspNetWindowsTokenRoleProvider

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

If you use windows groups for authorization, consider using the ASP.NET Role Provider with the AspNetWindowsTokenRoleProvider name. This allows you to separate the design of the authorization from the implementation inside your service. If you decide to change the role provider, it will not affect the code needed to perform the authorization. Also consider using imperative checks using the role manager API instead of performing authorization checks with WindowsPrincipal.IsInrole.

The following configuration example shows how to configure AspNetWindowsTokenRoleProvider.
<system.web>
…
<roleManager enabled="true"
             defaultProvider="AspNetWindowsTokenRoleProvider" />
…
</system.web>

Configure the service behavior to use ASPNetRoles and the role provider.
….
<behaviors>
    <serviceBehaviors>
        <behavior name="BehaviorConfiguration">
            <serviceAuthorization principalPermissionMode="UseAspNetRoles"
                roleProviderName=" AspNetWindowsTokenRoleProvider " />
            <serviceMetadata />
        </behavior>
    </serviceBehaviors>
</behaviors>
….

The following code shows how to perform the authorization check in code, using Role Manager API:
if (Roles.IsUserInRole(@"accounting"))
{
   //authorized
}
else
{
   //authorization failed
}

Additional Resources

Last edited Jun 12, 2008 at 8:58 PM by prashantbansode, version 1

Comments

No comments yet.