views:

648

answers:

5

Hello, I'm trying to secure a WCF service using windows accounts. The service should run on many systems with different languages. How can i set a PrincipalPermission that has language independent role names?

I found ugly workarounds like this one.

[PrincipalPermission(SecurityAction.Demand, Role = "Builtin\\Administrators")] // English
[PrincipalPermission(SecurityAction.Demand, Role = "Vordefiniert\\Administratoren")] // German
public string HelloWorld()
{
    return "Hello";
}

I don't think this is a good solution, is there any way to make this language independent? Is there a way to use the account SID instead of a string?

A: 

Hmmmm, I would not use a group name directly in my code (hard coded). Try to abstract it to a role like "HelloWorldAdmin" and have a role configured in the app.config. This one should be mapped to a user group. This would allow your users / admins to select a group and map it to the role (e.g. in case that the application admins are not you AD admins). Have a look at http://msdn.microsoft.com/en-us/library/ms998314.aspx. HTH.

Tomcat
A: 

Are you absolutely sure that on a German-language system, the "BUILTIN\Administrators" will not work? I would have imagined even then, these basic group names should be valid. Yes, in your admin tools, it will show "Vordefiniert\ADministratoren" - but I would be surprised if the PrincipalPermission attribute would be language-dependant.

MArc

marc_s
No it doesn't work, the main logic is in the WindowsPrincipal.IsInRole(string) method. I looked with reflector and didn't find any "translation" of the role names. just try it your self:WindowsPrincipal principal = new WindowsPrincipal(WindowsIdentity.GetCurrent());bool english = principal.IsInRole("Builtin\\Administrators");bool german = principal.IsInRole("Vordefiniert\\Administratoren");I was as surprised as you are, could be that I'm missing something...
Franz P.
I'm amazed and stunned..... sowas deppertes auch! Die Spinnen, die Microsofties :-)
marc_s
+1  A: 

One more try: Have a look at http://msdn.microsoft.com/en-us/library/system.security.principal.windowsbuiltinrole.aspx .... and go to the sample . There you can use the BuiltIn enumeration members to get the correctly spelled group name (via the API)... then it should be language neutral.

HTH, Thomas

Tomcat
+1  A: 

You may use the imperative version and dynamically convert a language neutral form (e.g. SID) to the localized form (may be through SecurityIdentifier.Translate).

Well known SIDs are listed in KB 243330.

Giulio Vian
+1  A: 

You could roll your own permission attribute which handles the translation:

 [Serializable, AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = true, Inherited = false), ComVisible(true)] 
 public sealed class AdministratorPrincipalPermissionAttribute : CodeAccessSecurityAttribute 
 {  
    public AdministratorPrincipalPermissionAttribute(SecurityAction action) : base(action)
    { }

    public override IPermission CreatePermission()
    {
       var identifier = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
       var role = identifier.Translate(typeof(NTAccount)).Value;
       return new PrincipalPermission(null, role);
    }
 }

Please note that this would require some extra deployment effort (gac, caspol etc.).

Sven Künzler