views:

15

answers:

0

Hi all, I was wondering if anyone would be able to help me with the following?

I need some more complicated rules for authorisation in a webapp than just role, which I have working fine. Something along the lines of "Allow all Admins. Allow Buyers, provided they have the correct department ID and are allowed to see this customer's credentials".

I am using a custom identity and custom principal to store information such as whether a user is allowed to see all clients or which individual clients they may see. This information is retrieved from a database and added upon creation of the identity/principal.

I have created a custom permission that extends IPermission, ISecurityEncodable. Within this, I have modified the Demand() function to the following:

public  void Demand()
    {
        this._identity = (UserIdentity)Thread.CurrentPrincipal.Identity;
        if (Thread.CurrentPrincipal.IsInRole("Admin")) { }
        else if ((Thread.CurrentPrincipal.IsInRole("Buyer")) && 
                 (this._identity.CanViewAllClients) &&
                 (this._identity.IsInDept(this._departmentID)) ) { }
        else if ((Thread.CurrentPrincipal.IsInRole("Buyer")) && 
                 (this._identity.CanViewClient(this._requestedClient)) &&
                 (this._identity.IsInDept(this._departmentID)) ) { }
        else { throw new SecurityException("Custom Permission Denied"); }  
    }

I then call this when I wish to authorise by using

CustomPermission custperm = new CustomPermission(requestedClient, reqClientDept);
custperm.Demand();

This works fine, but seems a messy, hacky way to do things. Especially since it would be nice to use my security roles as an attribute e.g.

[PrincipalPermission(SecurityAction.Demand, Authenticated = true)]
public class...

Perhaps there is a way to call [CustomPrincipalPermission(SecurityAction.Demand, Authorised = true)] with a custom IsAuthorised check? Is this possible? What would need to be implemented?

I apologise if there is a simple solution that I've missed online, but rest assured I have been checking for days now.