• Upgrade your Internet Experience
• Sign in
• Microsoft.com
• United States (English)

  Brasil (Português)Česká republika (Čeština)Deutschland (Deutsch)España (Español)France (Français)Italia (Italiano)Россия (Русский)대한민국 (한국어)中华人民共和国 (中文)台灣 (中文)日本 (日本語)香港特别行政區 (中文)

Ask a question

Search Forums:

• Search Common Language Runtime Forum
• Search All .NET Development Forums
• Search All MSDN Forums

 

A Newbie Question to .NET Role Based Security

• Wednesday, April 02, 2008 11:14 AMThomas Cheah

   
  

  0

  Hi,

   

  I was recently learning about .NET Role Based Security to implement some security measures in my Web services. My main objective is to protect my business objects with .NET code access security so that they are only accessible through the Web services by authenticated and authorized users.

   

  Here are some approaches that I took. Feel free to comment or correct me (or even laugh at me) at any point as I am still an amateur in this area.

   

  1. What I understand so far is classes that implements IIdentity represents an authenticated user, and implementation of IPrincipal represents an authenticated users with authorized roles.

   

  2. By modeling how PassportAuthentication and WindowsAuthentication work, I thought it is more secure to create my own identity and principal class that implement the interfaces above, let's call it MyAppIdentity, and MyAppPrincipal.

   

  3. When a Web method is called, I will authenticate the user credential against the database and construct a MyAppIdentity that represents the user. Then I will enumerate his role from the database and construct a MyAppPrincipal.

   

  4. Then, I set the instantiated MyAppPrincipal to current thread by AppDomain.CurrentDomain.SetThreadPrincipal method.

   

  5. Depends on the nature of the methods on my business object, they are tagged with PrincipalPermissionAttribute with different roles. For instance methods that required administrator privillege will have,

   

  [PrincipalPermissionAttribute(SecurityAction.Demand, Role="Administrators")]

   

  and methods that required manager privillege will have

   

  [PrincipalPermissionAttribute(SecurityAction.Demand, Role="Manager")]

   

  6. Now, things look fine and dandy so far to me, as I thought the security design looks pretty solid. If someone manage to bypass my Web services authentication process they are still unable to call the business method without proper principal. Even if a rogue admin who has access to the server and the assembly of my business objects still does not stand any chance.

   

  7. Suddenly it occurs to me that what if a rogue admin create a simple console application that use my business object assembly. He knows that I am using code access security to protect the methods. He then create a GenericPrincipal with the role of "Administrators". Well now he successfully gain access to the business object methods.

   

  8. I think hard about this on whether it is a flawed in .NET security or my poor understanding on its actual operation. IMHO, I thought that the PrincipalPermissionAttribute should check not only the role name and user name, but also the principal type. In my case, the attribute should check if the thread current principal is a type of MyAppPrincipal. Thus, anybody who "spoof" the principal using other types, such as GenericPrincipal will not work. And it is up to the programmer to create a good design such that MyAppPrincipal can only be obtained thru valid authentication channels. Just like how PassportAuthentication and WindowsAuthentication work.

   

  9. I know one workaround to this is to use the imperative method of demanding security permission. But I like the elegance of declarative syntax via attributes.

   

  10. Otherwise, imagine that if there is a secured Windows services that required WindowsAuthentication with Administrators role. With the current .NET security implementation, the most that the user can protect the service is tag the method with

   

  [PrincipalPermissionAttribute(SecurityAction.Demand, Role="Administrators")]

   

  11. Similar as the flaw in my application above, a potential hacker know the only way for him to obtain a WindowsPrincipal is via an authenticated WindowsIdentity, of which he has no access to. He then create a GenericPrincipal with Administrators role, and he is in!!

   

  12. The more I think about all these the more paranoid I am. I was also wondering even if there is strict type checking when checking principal permission by .NET runtime, what if the hacker create a subclass of WindowsAuthentication and just override its role properties to return the required role.

   

  13. How about reflection? To me, reflection is a very powerful tool in .NET even to hacker. One can use reflection to examine all private data members of a class and even modify it. Can a hacker elevate the privillege of a WindowsPrincipal, GenericPrincpal, PassportPrincipal on the current thread by modifying it indirectly thru reflection?

   

  Hmmm.... I hope I am not thinking too much. Thanks in advance for any feedback.

  • Reply
  • Quote