PrincipalPermissionMode PrincipalPermissionMode PrincipalPermissionMode PrincipalPermissionMode Enum

Definition

Legt den Modus für Autorisierungsprüfungen fest, wenn das PrincipalPermissionAttribute zum Steuern des Zugriffs auf eine Methode verwendet wird.Sets the mode for authorization checks when using the PrincipalPermissionAttribute to control access to a method.

public enum class PrincipalPermissionMode
public enum PrincipalPermissionMode
type PrincipalPermissionMode = 
Public Enum PrincipalPermissionMode
Vererbung
PrincipalPermissionModePrincipalPermissionModePrincipalPermissionModePrincipalPermissionMode

Felder

Always Always Always Always 4

Ermöglicht es dem Benutzer, immer eine benutzerdefinierte IPrincipal-Klasse für CurrentPrincipal anzugeben.Always enables the user to specify a IPrincipal class for CurrentPrincipal.

Custom Custom Custom Custom 3

Ermöglicht es dem Benutzer, eine benutzerdefinierte IPrincipal-Klasse für CurrentPrincipal anzugeben.Enables the user to specify a custom IPrincipal class for CurrentPrincipal.

None None None None 0

CurrentPrincipal wird nicht festgelegt.CurrentPrincipal is not set.

UseAspNetRoles UseAspNetRoles UseAspNetRoles UseAspNetRoles 2

CurrentPrincipal wird basierend auf dem ASP.NETASP.NET-Rollenanbieter (RoleProvider) festgelegt.CurrentPrincipal is set based on the ASP.NETASP.NET role provider (RoleProvider).

UseWindowsGroups UseWindowsGroups UseWindowsGroups UseWindowsGroups 1

CurrentPrincipal wird basierend auf Windows (WindowsPrincipal) festgelegt.CurrentPrincipal is set based on Windows (WindowsPrincipal). Wenn die Benutzeridentität nicht einem Windows-Konto zugeordnet ist, wird ein anonymer Windows-Modus verwendet.If the user identity is not associated with a Windows account, anonymous Windows is used.

Beispiele

Im folgenden Beispiel wird gezeigt, wie useaspnettroles angegeben wird.The following example shows how to specify UseAspNetRoles.

namespace TestPrincipalPermission
{
    class PrincipalPermissionModeWindows
    {
    
        [ServiceContract]
        interface ISecureService
        {
            [OperationContract]
            string Method1();
        }
                
        class SecureService : ISecureService
        {
            [PrincipalPermission(SecurityAction.Demand, Role = "everyone")]
            public string Method1()
            {
                return String.Format("Hello, \"{0}\"", Thread.CurrentPrincipal.Identity.Name);
            }
        }

        public void Run()
        {
            Uri serviceUri = new Uri(@"http://localhost:8006/Service");
            ServiceHost service = new ServiceHost(typeof(SecureService));
            service.AddServiceEndpoint(typeof(ISecureService), GetBinding(), serviceUri);
            service.Authorization.PrincipalPermissionMode = PrincipalPermissionMode.UseAspNetRoles;
            service.Open();

            EndpointAddress sr = new EndpointAddress(
                serviceUri, EndpointIdentity.CreateUpnIdentity(WindowsIdentity.GetCurrent().Name));
            ChannelFactory<ISecureService> cf = new ChannelFactory<ISecureService>(GetBinding(), sr);
            ISecureService client = cf.CreateChannel();
            Console.WriteLine("Client received response from Method1: {0}", client.Method1());
            ((IChannel)client).Close();
            Console.ReadLine();
            service.Close();
            
        }

        public static Binding GetBinding()
        {
            WSHttpBinding binding = new WSHttpBinding(SecurityMode.Message);
            binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
            return binding;
        }
    }
}
Namespace TestPrincipalPermission
	Friend Class PrincipalPermissionModeWindows

		<ServiceContract> _
		Private Interface ISecureService
			<OperationContract> _
			Function Method1() As String
		End Interface

		Private Class SecureService
			Implements ISecureService
            <PrincipalPermission(SecurityAction.Demand, Role:="everyone")> _
            Public Function Method1() As String Implements ISecureService.Method1
                Return String.Format("Hello, ""{0}""", Thread.CurrentPrincipal.Identity.Name)
            End Function

		End Class

		Public Sub Run()
			Dim serviceUri As New Uri("http://localhost:8006/Service")
			Dim service As New ServiceHost(GetType(SecureService))
			service.AddServiceEndpoint(GetType(ISecureService), GetBinding(), serviceUri)
			service.Authorization.PrincipalPermissionMode = PrincipalPermissionMode.UseAspNetRoles
			service.Open()

			Dim sr As New EndpointAddress(serviceUri, EndpointIdentity.CreateUpnIdentity(WindowsIdentity.GetCurrent().Name))
			Dim cf As New ChannelFactory(Of ISecureService)(GetBinding(), sr)
			Dim client As ISecureService = cf.CreateChannel()
			Console.WriteLine("Client received response from Method1: {0}", client.Method1())
			CType(client, IChannel).Close()
			Console.ReadLine()
			service.Close()

		End Sub

		Public Shared Function GetBinding() As Binding
			Dim binding As New WSHttpBinding(SecurityMode.Message)
			binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows
			Return binding
		End Function
	End Class
End Namespace

Im folgenden Beispiel wird gezeigt, wie Benutzer definiert angegeben wird.The following example shows how to specify Custom.

namespace CustomMode
{
    public class Test
    {
        public static void Main()
        {
            try
            {
                ShowPrincipalPermissionModeCustom ppwm = new ShowPrincipalPermissionModeCustom();
                ppwm.Run();

            }
            catch (Exception exc)
            {
                Console.WriteLine("Error: {0}", exc.Message);
                Console.ReadLine();
            }
        }
    }

    class ShowPrincipalPermissionModeCustom
    {
        [ServiceContract]
        interface ISecureService
        {
            [OperationContract]
            string Method1(string request);
        }

        [ServiceBehavior]
        class SecureService : ISecureService
        {
            [PrincipalPermission(SecurityAction.Demand, Role = "everyone")]
            public string Method1(string request)
            {
                return String.Format("Hello, \"{0}\"", Thread.CurrentPrincipal.Identity.Name);
            }
        }

        public void Run()
        {
            Uri serviceUri = new Uri(@"http://localhost:8006/Service");
            ServiceHost service = new ServiceHost(typeof(SecureService));
            service.AddServiceEndpoint(typeof(ISecureService), GetBinding(), serviceUri);
            List<IAuthorizationPolicy> policies = new List<IAuthorizationPolicy>();
            policies.Add(new CustomAuthorizationPolicy());
            service.Authorization.ExternalAuthorizationPolicies = policies.AsReadOnly();
            service.Authorization.PrincipalPermissionMode = PrincipalPermissionMode.Custom;
            service.Open();

            EndpointAddress sr = new EndpointAddress(
                serviceUri, EndpointIdentity.CreateUpnIdentity(WindowsIdentity.GetCurrent().Name));
            ChannelFactory<ISecureService> cf = new ChannelFactory<ISecureService>(GetBinding(), sr);
            ISecureService client = cf.CreateChannel();
            Console.WriteLine("Client received response from Method1: {0}", client.Method1("hello"));
            ((IChannel)client).Close();
            Console.ReadLine();
            service.Close();            
        }

        public static Binding GetBinding()
        {
            WSHttpBinding binding = new WSHttpBinding(SecurityMode.Message);
            binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
            return binding;
        }

        class CustomAuthorizationPolicy : IAuthorizationPolicy
        {
            string id = Guid.NewGuid().ToString();

            public string Id
            {
                get { return this.id; }
            }

            public ClaimSet Issuer
            {
                get { return ClaimSet.System; }
            }

            public bool Evaluate(EvaluationContext context, ref object state)
            {
                object obj;
                if (!context.Properties.TryGetValue("Identities", out obj))
                    return false;

                IList<IIdentity> identities = obj as IList<IIdentity>;
                if (obj == null || identities.Count <= 0)
                    return false;

                context.Properties["Principal"] = new CustomPrincipal(identities[0]);
                return true;
            }
        }

        class CustomPrincipal : IPrincipal
        {
            IIdentity identity;
            public CustomPrincipal(IIdentity identity)
            {
                this.identity = identity;
            }

            public IIdentity Identity
            {
                get { return this.identity; }
            }

            public bool IsInRole(string role)
            {
                return true;
            }
        }
    }
}
Namespace CustomMode
	Public Class Test
		Public Shared Sub Main()
			Try
				Dim ppwm As New ShowPrincipalPermissionModeCustom()
				ppwm.Run()

			Catch exc As Exception
				Console.WriteLine("Error: {0}", exc.Message)
				Console.ReadLine()
			End Try
		End Sub
	End Class

	Friend Class ShowPrincipalPermissionModeCustom
		<ServiceContract> _
		Private Interface ISecureService
			<OperationContract> _
			Function Method1(ByVal request As String) As String
		End Interface

		<ServiceBehavior> _
		Private Class SecureService
			Implements ISecureService
            <PrincipalPermission(SecurityAction.Demand, Role:="everyone")> _
            Public Function Method1(ByVal request As String) As String Implements ISecureService.Method1
                Return String.Format("Hello, ""{0}""", Thread.CurrentPrincipal.Identity.Name)
            End Function
		End Class

		Public Sub Run()
			Dim serviceUri As New Uri("http://localhost:8006/Service")
			Dim service As New ServiceHost(GetType(SecureService))
			service.AddServiceEndpoint(GetType(ISecureService), GetBinding(), serviceUri)
			Dim policies As New List(Of IAuthorizationPolicy)()
			policies.Add(New CustomAuthorizationPolicy())
			service.Authorization.ExternalAuthorizationPolicies = policies.AsReadOnly()
			service.Authorization.PrincipalPermissionMode = PrincipalPermissionMode.Custom
			service.Open()

			Dim sr As New EndpointAddress(serviceUri, EndpointIdentity.CreateUpnIdentity(WindowsIdentity.GetCurrent().Name))
			Dim cf As New ChannelFactory(Of ISecureService)(GetBinding(), sr)
			Dim client As ISecureService = cf.CreateChannel()
			Console.WriteLine("Client received response from Method1: {0}", client.Method1("hello"))
			CType(client, IChannel).Close()
			Console.ReadLine()
			service.Close()
		End Sub

		Public Shared Function GetBinding() As Binding
			Dim binding As New WSHttpBinding(SecurityMode.Message)
			binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows
			Return binding
		End Function

		Private Class CustomAuthorizationPolicy
			Implements IAuthorizationPolicy
			Private id_Renamed As String = Guid.NewGuid().ToString()

			Public ReadOnly Property Id() As String Implements System.IdentityModel.Policy.IAuthorizationComponent.Id
				Get
					Return Me.id_Renamed
				End Get
			End Property

			Public ReadOnly Property Issuer() As ClaimSet Implements IAuthorizationPolicy.Issuer
				Get
					Return ClaimSet.System
				End Get
			End Property

			Public Function Evaluate(ByVal context As EvaluationContext, ByRef state As Object) As Boolean Implements IAuthorizationPolicy.Evaluate
                Dim obj As Object = Nothing
				If (Not context.Properties.TryGetValue("Identities", obj)) Then
					Return False
				End If

				Dim identities As IList(Of IIdentity) = TryCast(obj, IList(Of IIdentity))
				If obj Is Nothing OrElse identities.Count <= 0 Then
					Return False
				End If

				context.Properties("Principal") = New CustomPrincipal(identities(0))
				Return True
			End Function
		End Class

		Private Class CustomPrincipal
			Implements IPrincipal
			Private identity_Renamed As IIdentity
			Public Sub New(ByVal identity As IIdentity)
				Me.identity_Renamed = identity
			End Sub

			Public ReadOnly Property Identity() As IIdentity Implements IPrincipal.Identity
				Get
					Return Me.identity_Renamed
				End Get
			End Property

			Public Function IsInRole(ByVal role As String) As Boolean Implements IPrincipal.IsInRole
				Return True
			End Function
		End Class
	End Class
End Namespace

Hinweise

Beim Anwenden des PrincipalPermissionAttributes auf eine Methode wird mit diesem Modus festgelegt, welche Rollen beim Autorisieren des Zugriffs verwendet werden sollen.When applying the PrincipalPermissionAttribute to a method, this mode specifies which set of roles to use when authorizing access. Standardmäßig verwendet das Attribut Windows-Gruppen (wie Administrator oder Users) zum Festlegen der Rolle, der der Benutzer angehören muss.By default, the attribute uses Windows groups (such as Administrator or Users) to specify the role to which the user must belong.

Um den Modus programmgesteuert festzulegen, müssen Sie eine Instanz der ServiceHost-Klasse erstellen, dann das ServiceAuthorizationBehavior in der Verhaltensauflistung suchen und den PrincipalPermissionMode auf die geeignete Enumeration festlegen.To set the mode programmatically, create an instance of the ServiceHost class, then find the ServiceAuthorizationBehavior in its collection of behaviors, and set the PrincipalPermissionMode to the appropriate enumeration. Im folgenden Beispiel wird die-Eigenschaft auf useaspnettroles festgelegt.The following example sets the property to UseAspNetRoles.

ServiceHost myServiceHost = new ServiceHost(typeof(Calculator), baseUri);
ServiceAuthorizationBehavior myServiceBehavior =
    myServiceHost.Description.Behaviors.Find<ServiceAuthorizationBehavior>();
myServiceBehavior.PrincipalPermissionMode =
    PrincipalPermissionMode.UseAspNetRoles;
Dim myServiceHost As New ServiceHost(GetType(Calculator), baseUri)
Dim myServiceBehavior As ServiceAuthorizationBehavior = myServiceHost.Description.Behaviors.Find(Of ServiceAuthorizationBehavior)()
myServiceBehavior.PrincipalPermissionMode = PrincipalPermissionMode.UseAspNetRoles

Sie können das Verhalten auch in der Konfiguration festlegen, indem Sie dem <> ServiceBehavior einer Konfigurationsdatei eine <ServiceAuthorization> hinzufügen, wie im folgenden Code gezeigt.You can also set the behavior in configuration by adding a <serviceAuthorization> to the <serviceBehaviors> of a configuration file, as shown in the following code.

// Only a client authenticated with a valid certificate that has the 
// specified subject name and thumbprint can call this method.
[PrincipalPermission(SecurityAction.Demand,
     Name = "CN=ReplaceWithSubjectName; 123456712345677E8E230FDE624F841B1CE9D41E")]
public double Multiply(double a, double b)
{
    return a * b;
}
' Only a client authenticated with a valid certificate that has the 
' specified subject name and thumbprint can call this method.
<PrincipalPermission(SecurityAction.Demand, Name := "CN=ReplaceWithSubjectName; 123456712345677E8E230FDE624F841B1CE9D41E")> _
Public Function Multiply(ByVal a As Double, ByVal b As Double) As Double
	Return a * b
End Function

Die Enumeration beeinflusst, wie das PrincipalPermissionAttribute-Attribut einen Benutzer autorisiert, wenn sie auf eine Methode angewendet wird.The enumeration affects how the PrincipalPermissionAttribute attribute authorizes a user when it is applied to a method. Im folgenden Beispiel wird das Attribut auf eine Methode angewendet und außerdem gefordert, dass der Benutzer der Benutzergruppe auf dem Computer angehört.The following example applies the attribute to a method and demands that the user belong to the Users group on the computer. Dieser Code funktioniert nur, wenn PrincipalPermissionMode auf UseWindowsGroup (die Standardeinstellung) festgelegt ist.This code works only when the PrincipalPermissionMode is set to UseWindowsGroup (the default setting).

// Only members of the CalculatorClients group can call this method.
[PrincipalPermission(SecurityAction.Demand, Role = "Users")]
public double Add(double a, double b)
{
    return a + b;
}
' Only members of the CalculatorClients group can call this method.
<PrincipalPermission(SecurityAction.Demand, Role := "Users")> _
Public Function Add(ByVal a As Double, ByVal b As Double) As Double
	Return a + b
End Function

UseAspNetRolesUseAspNetRoles

Der useaspnettroles-Wert wird für alle Anmelde Informationstypen verwendet.The UseAspNetRoles value is used for all credential types. Dieser Modus ermöglicht Windows Communication Foundation (WCF) die Verwendung des ASP.NET-Rollen Anbieters, um Autorisierungs Entscheidungen zu treffen.This mode enables Windows Communication Foundation (WCF) to use the ASP.NET role provider to make authorization decisions.

Wenn die Anmeldeinformationen für einen Dienst von einem X.509-Zertifikat bereitgestellt werden, können Sie die Name-Eigenschaft von PrincipalPermissionAttribute auf eine Zeichenfolge festlegen, die aus den verketteten Werten des Betreff- und Fingerabdruckfelds besteht, wie in folgendem Beispiel gezeigt.When the credential for a service is an X.509 certificate, you can set the Name property of the PrincipalPermissionAttribute to a string that consists of the concatenated values of the Subject field and the Thumbprint field, as shown in the following example.

ServiceHost myServiceHost = new ServiceHost(typeof(Calculator), baseUri);
ServiceAuthorizationBehavior myServiceBehavior =
    myServiceHost.Description.Behaviors.Find<ServiceAuthorizationBehavior>();
myServiceBehavior.PrincipalPermissionMode =
    PrincipalPermissionMode.UseAspNetRoles;
MyServiceAuthorizationManager sm = new MyServiceAuthorizationManager();
myServiceBehavior.ServiceAuthorizationManager = sm;
Dim myServiceHost As New ServiceHost(GetType(Calculator), baseUri)
Dim myServiceBehavior As ServiceAuthorizationBehavior = myServiceHost.Description.Behaviors.Find(Of ServiceAuthorizationBehavior)()
myServiceBehavior.PrincipalPermissionMode = PrincipalPermissionMode.UseAspNetRoles
Dim sm As New MyServiceAuthorizationManager()
myServiceBehavior.ServiceAuthorizationManager = sm

Die verkettete Zeichenfolge besteht aus den Betreff- und Fingerabdruckwerten, die durch ein Semikolon und ein Leerzeichen voneinander getrennt werden.The concatenated string consists of the subject and thumbprint values separated by a semicolon and a space.

Es ist auch möglich, dass das Betrefffeld eines Zertifikats auf eine NULL-Zeichenfolge festgelegt wird.It is also possible for a certificate to have a Subject field set to a null string. In diesem Fall können Sie die Name-Eigenschaft auf ein Semikolon, gefolgt von einem Leerzeichen und dem Fingerabdruck, festlegen, wie in folgendem Beispiel gezeigt.In that case, you can set the Name property to a semicolon followed by a space and then the thumbprint, as shown in the following example.

// Only a client authenticated with a valid certificate that has the 
// specified thumbprint can call this method.
[PrincipalPermission(SecurityAction.Demand,
     Name = "; 123456712345677E8E230FDE624F841B1CE9D41E")]
public double Divide(double a, double b)
{
    return a * b;
}
' Only a client authenticated with a valid certificate that has the 
' specified thumbprint can call this method.
<PrincipalPermission(SecurityAction.Demand, Name := "; 123456712345677E8E230FDE624F841B1CE9D41E")> _
Public Function Divide(ByVal a As Double, ByVal b As Double) As Double
	Return a * b
End Function

Wenn ein ASP.NET-Rollenanbieter vorhanden ist, können Sie die Role-Eigenschaft auf eine Rolle in der Datenbank festlegen.If an ASP.NET role provider is present, you can also set the Role property to a role in the database. Standardmäßig wird die Datenbank durch SqlRoleProvider dargestellt.By default, the database is represented by the SqlRoleProvider. Sie können auch einen benutzerdefinierten Rollenanbieter mit der RoleProvider-Eigenschaft der ServiceAuthorizationBehavior-Klasse festlegen.You can also set a custom role provider with the RoleProvider property of the ServiceAuthorizationBehavior class. Im folgenden Code wird die Rolle auf Administrators festgelegt.The following code sets the role to Administrators. Beachten Sie, dass der Rollenanbieter das Benutzerkonto dieser Rolle zuordnen muss.Note that the role provider must map the user account to that role.

[PrincipalPermission(SecurityAction.Demand, Role = "Administrators")]
public string ReadFile(string fileName)
{
    // Code not shown.
    return "Not implemented";
}
<PrincipalPermission(SecurityAction.Demand, Role := "Administrators")> _
Public Function ReadFile(ByVal fileName As String) As String
	' Code not shown.
	Return "Not implemented"
End Function

Weitere Informationen zum ASP.NET-Rollen Anbieter finden Sie unter Gewusst wie: Verwenden Sie den Rollen-Managerin ASP.NET 2,0.For more information about the ASP.NET Role provider, see How To: Use Role Manager in ASP.NET 2.0.

Weitere Informationen zur Verwendung von WCF und dem Rollen Anbieter finden Sie unter Gewusst wie: Verwenden Sie den ASP.NET-Rollen Anbieter miteinem-Dienst.For more information about using WCF and the role provider, see How to: Use the ASP.NET Role Provider with a Service.

BenutzerdefiniertCustom

Wenn die-Eigenschaft auf Custom festgelegt ist, müssen Sie auch eine benutzerdefinierte Klasse bereit IAuthorizationPolicy stellen, die die-Klasse implementiert.When the property is set to Custom, you must also provide a custom class that implements the IAuthorizationPolicy class. Diese Klasse stellt die IPrincipal-Darstellung des Aufrufers in der Properties-Auflistung bereit.This class is responsible for providing the caller's IPrincipal representation inside the Properties collection. Sie muss die IPrincipal-Instanz in der Eigenschaftenauflistung unter Verwendung des Zeichenfolgeschlüssels "Principal" speichern, wie im folgenden Beispiel gezeigt.It must store the IPrincipal instance to the properties collection using the "Principal" string key, as shown in the following example.

evaluationContext.Properties["Principal"]=new CustomPrincipal(identity);  

HintergrundBackground

Mit der rollenbasierten Sicherheit in .NET Framework.NET Framework können Anwendungen Autorisierungen durch Code angeben.The role-based security in .NET Framework.NET Framework enables applications to specify authorizations through code. Durch Angeben des Bedarfs für PrincipalPermission muss CurrentPrincipal der Anforderung für PrincipalPermission entsprechen.By specifying the PrincipalPermission demand, the CurrentPrincipal must satisfy the PrincipalPermission requirement. Beispiel: Der Benutzer muss sich in einer bestimmten Rolle oder Gruppe befinden.For example, that the user must be in a specific role or group. Andernfalls ist der Thread nicht berechtigt, den Code auszuführen, wodurch eine Ausnahme ausgelöst wird.Otherwise, the thread is not authorized to execute the code, which results in an exception. WCF bietet eine Reihe von PrincipalPermissionMode Auswahlmöglichkeiten, die CurrentPrincipal auf SecurityContext Grundlage von entsprechend anzugeben.WCF provides a set of PrincipalPermissionMode selections to specify the CurrentPrincipal based on SecurityContext accordingly.

Gilt für: