DSS Node Security Runtime Interaction

  • Article

Glossary Item Box

Microsoft Robotics Developer Studio Send feedback on this topic

DSS Node Security Runtime Interaction

Security Manager Service

A service can programmatically use the security manager service to modify the security settings at runtime. The user list can be modified by sending the InsertUser, UpdateUser and DeleteUser messages as appropriate. These messages each have the UserPermission type as their body. The UserPermission type uses a text representation of a user. To create this from a Security Identifier (SID), use code similar to the following:

string UserNameFromSid(SecurityIdentifier sid)
{
    NTAccount account = sid.Translate(typeof(NTAccount)) as NTAccount;
    if (account != null)
    {
        return account.Value;
    }
    return null;
}

The well known account and group names are localized in Windows, so hard-coding them will make a service unreliable in other localities. To create the text name from a well known SID, use code similar to the following:

string UserNameFromWellKnownSid(WellKnownSidType wellKnownSid)
{
    SecurityIdentifier sid = new SecurityIdentifier(wellKnownSid, null);
    NTAccount account = sid.Translate(typeof(NTAccount)) as NTAccount;
    if (account != null)
    {
        return account.Value;
    }
    return null;
}

For example, to safely create a UserPermission object that represents the group, everyone:

    UserPermssion user = new UserPermission();

    user.Rights = DsspRights.All;
    user.User = UserNameFromWellKnownSid(WellKnownSidType.WorldSid);

To insert this user into the user list from within an Iterator function:

    Fault fault = null;

    yield return Arbiter.Choice(
        _secMgr.InsertUser(user),
        delegate(DefaultInsertResponseType success){},
        delegate(Fault f)
        {
            fault = f;
        }
    );
    
    if (fault != null)
    {
        LogError(f);
        yield break;
    }
Bb870541.hs-note(en-us,MSDN.10).gif Changing the AuthenticationRequired or OnlySignedAssemblies settings can only be done using the replace message, taking care not to remove the current user list, and only takes effect when the DSS node is next started.

Authentication

When the AuthenticationRequired setting is enabled, messages that come from authenticated transports have a header attached. This header identifies the user making the request. This allows a service to choose different behavior for different users.

For a regular Decentralized Software Services Protocol operation, the header can be retrieved by calling the GetHeader method on the message

using sec = Microsoft.Dss.Runtime.Security;

and the handler looking like this:

[ServiceHandler(ServiceHandlerBehavior.Concurrent)]
public virtual IEnumerator<ITask> GetHandler(Get get)
{
    sec.UserPermission user = get.GetHeader<sec.UserPermission>();

    if (user != null)
    {
        // process per user 
    }

For messages processed from a Web client using the HttpGet, HttpPost and HttpQuery methods, the user identity is passed as part of the HttpListenerContext which is part of the body. This can be converted to a UserPermission using the FromIdentity method. For example:

[ServiceHandler(ServiceHandlerBehavior.Concurrent)]
public virtual IEnumerator<ITask> HttpGetHandler(HttpGet get)
{
    IPrincipal principal = get.Body.Context.User;
    
    if (principal != null)
    {
        sec.UserPermission user = sec.UserPermission.FromIdentity(
            principal.Identity
        ); 

        if (user != null)
        {
            // process per user 
        }
    }

 

 

© 2012 Microsoft Corporation. All Rights Reserved.