views:

54

answers:

1

I am implementing a WCF service that uses transaction propagation.

The ASP .nET Security model with SQL Server (SqlRoleProvider) is used for authorization. I am using declarative security via the PrincipalPermission attribute, as shown below.

[ServiceBehavior(TransactionIsolationLevel = IsolationLevel.Serializable)]
public class MyService : IMyService
{
    [PrincipalPermission(SecurityAction.Demand, Role = "RoleName")]
    [OperationBehavior(TransactionScopeRequired = true)]
    public void DoSomething()
    {
    }
}

Here's the question:

What I see is that the authorization check (IsInRole) of the PrincipalPermission is using the propagated transaction as ambient transaction to access the ASP.NET Security database. I do not want that, as this locks the tables in the ASP.NET Security database. Besides, it is conceptually wrong, as it is only an access permission check and totally unrelated to modifications done in the business database.

I understand that I can abandon the declaritive security model and programmatically make the IsInRole check using a new TransactionScope (using TransactionScopeOption.Suppress or TransactionScopeOption.RequiresNew when appropriate), but is it possible to achieve this while retaining the declarative security model?

+1  A: 

Solution:

I added 'Enlist=false' to the connection string to the SQL Security Database; in this way the connection shall not participate in the transaction context.

Jeroen de Bekker