none
PrincipalPermission Usage RRS feed

  • Question

    1. I'm trying to reconcile what I'm seeing for behaviors of the PrincipalPermission class vs the documentation for how it should work.

    When using the PermissionState constructor

    • The None enum (new PrincipalPermission(PermissionState.None)):  The documentation indicates it matches only the unauthenticated principal.  When calling .Demand() it doesn't appear to matter if the Principal is authenticated or not it always succeeds. It doesn't matter if the Principal is a GenericPrincipal, and Anonymous Windows Principal or my current domain WindowsPrincipal.  If you look at the documentation for the PermissionState, None is supposed to provide "No access to the resource protected by the permission". 
    • The Unrestricted enum (new PrincipalPermission(PermissionState.Unrestricted)): The documentation indicates it matches all principals.  Now with the CAS Permissions this basically means ignore the Principal provided and grant everyone access, but in the case of a PrincipalPermission, this looks to force/require an Authenticated IPrincipal before it will ignore checking the permission for said principal and provide the "unrestricted" access. To check this, I've used the following (the first two fail and the second succeeds)
    •     Thread.CurrentPrincipal = new GenericPrincipal(new GenericIdentity(""), new string[0]);
    •     Thread.CurrentPrincipal = new WindowsPrincipal(WindowsIdentity.GetAnonymous());
    •     Thread.CurrentPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent());

    When using the [is]Authenticated constructor

    • It looks like when the Authenticated bool is passed in as False, the PrincipalPermission is basically worthless.  The Principal doesn't matter.  It doesn't matter if the principal is authenticated or not for the Role and/or Name (or if it's even set).  The documentation hints at it being possible to check if the Principal has been authenticated or not. Is this the intent of this Boolean flag?

    To recap, can anyone confirm this is correct and all sorts of twisted?  If you have a PermissionState.None which should block all access, it instead allows all access and the Authenticated bool false value makes the PermissionPrincipal moot as it pertains to a Principal being present or not?

    TIA

    Friday, January 12, 2018 7:43 PM

All replies

  • Hi Dev Hammer,

    Thank you for posting here.

    >> If you have a PermissionState.None which should block all access, it instead allows all access

    For your question, PermissionState has two members.

    One is None. A totally restrictive state allows no access to resources.

    The other is Unrestricted.  A totally unrestricted state allows all access to a particular resource.

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Monday, January 15, 2018 8:44 AM
    Moderator
  • Wendy

    I see you read the documentation the same way that I do. So why do these not fail?  If you Demand the PrincipalPermission the expected result should be an Exception with Access Denied.  With that being said, if the user hasn't been Authenticated then you can't proceed on to the Authorization portion.  This make the including of the (Is)Authorized Boolean flag worthless from a Permissions standpoint (unless I'm missing something, in which case can you please enlighten me).

    private void PermissionShouldBeDenied()
    {
    	IPermission perimission;
    
    	try
    	{
    		perimission = new System.Security.Permissions.PrincipalPermission(PermissionState.None);
    		perimission.Demand();
    	}
    	catch (Exception exception)
    	{
    		Debug.WriteLine(exception.Message);
    	}
    }
    
    [PrincipalPermission(SecurityAction.Demand, Authenticated = false, Name = "", Role = "")]
    private void PermissionShouldBeDeniedAsWell()
    {
    	Debug.WriteLine("This Works");
    }

    Monday, January 15, 2018 8:09 PM
  • Hi Dev Hammer,

    Thank you for feedback.

    What you want to get from the code?

    According to your code, you defined a None permission. I could not find any code used to set the permission and access to resources. 

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Sunday, January 21, 2018 2:37 PM
    Moderator
  • What I'm looking for is (correct) information as to the expected results from the PrincipalPermissions class.

    The code I provided is intended to display examples where the functionality does not work as documented (according to me and your earlier post implies your understanding of the functionality is the same as mine). In which case I'm trying to understand where my knowledge is lacking *or* confirm the functionality is broken and the documentation is incorrect.

    I've been working on code which is configurable such that the AD Group provided to the PrincipalPermission is configurable while also supporting the ability to disable the permission requirement if needed.  In my code when the "disable" flag is set, I return the new PrincipalPermission(PermissionState.Unrestricted) which should return an IPermission that allows all access.  Instead of allowing all access, it looks like whoever developed the PrincipalPermission logic used the wrong PermissionState enum.  What I mean is Unrestricted should not require a valid Principal before it decides to grant unrestricted access.

    The same goes for new PrincipalPermission(PermissionState.None) which should BLOCK ALL access independent of there being a valid Principal or not.  Instead this provides ALL access independent of there being a Principal or not.

    The documentation on the PermissionState enum is at odds with the use of the enum within the PrincipalPermission class.

    In my case in order to "disable" the security checks from happening and allow everyone access, I have to use the new PrincipalPermission(PermissionState.None) to GRANT ALL access to the resource.

    Try throwing my code above into a C# project to see what I'm referring to.

    Wednesday, January 31, 2018 8:34 PM
  • Hi Dev Hammer,

    >> the documentation is incorrect.

    What does this mean?

    >> In my code when the "disable" flag is set

    In the code you provided, I do not see the disable flag.

    >>I return the new PrincipalPermission(PermissionState.Unrestricted) which should return an IPermission that allows all access.  Instead of allowing all access, it looks like whoever developed the PrincipalPermission logic used the wrong PermissionState enum. 

    Please try to use PermissionSet.AddPermission() Method to add permission first.

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, February 6, 2018 8:49 AM
    Moderator