PrincipalPermissionMode Enumeración

Definición

Establece el modo de comprobación de autorización al utilizar PrincipalPermissionAttribute para controlar el acceso a un método.Sets the mode for authorization checks when using the PrincipalPermissionAttribute to control access to a method.

public enum class PrincipalPermissionMode
public enum PrincipalPermissionMode
type PrincipalPermissionMode = 
Public Enum PrincipalPermissionMode
Herencia
PrincipalPermissionMode

Campos

Always 4

Siempre permite al usuario especificar una clase IPrincipal personalizada para CurrentPrincipal.Always enables the user to specify a IPrincipal class for CurrentPrincipal.

Custom 3

Permite al usuario especificar una clase IPrincipal personalizada para CurrentPrincipal.Enables the user to specify a custom IPrincipal class for CurrentPrincipal.

None 0

CurrentPrincipal' no está establecido.CurrentPrincipal is not set.

UseAspNetRoles 2

CurrentPrincipal se establece basándose en el proveedor de funciones ASP.NETASP.NET (RoleProvider).CurrentPrincipal is set based on the ASP.NETASP.NET role provider (RoleProvider).

UseWindowsGroups 1

CurrentPrincipal se establece basándose en Windows (WindowsPrincipal).CurrentPrincipal is set based on Windows (WindowsPrincipal). Si la identidad del usuario no está asociada a una cuenta de Windows, se utilizará un usuario de Windows anónimo.If the user identity is not associated with a Windows account, anonymous Windows is used.

Ejemplos

En el ejemplo siguiente se muestra cómo especificar UseAspNetRoles.The following example shows how to specify UseAspNetRoles.

namespace TestPrincipalPermission
{
    class PrincipalPermissionModeWindows
    {
    
        [ServiceContract]
        interface ISecureService
        {
            [OperationContract]
            string Method1();
        }
                
        class SecureService : ISecureService
        {
            [PrincipalPermission(SecurityAction.Demand, Role = "everyone")]
            public string Method1()
            {
                return String.Format("Hello, \"{0}\"", Thread.CurrentPrincipal.Identity.Name);
            }
        }

        public void Run()
        {
            Uri serviceUri = new Uri(@"http://localhost:8006/Service");
            ServiceHost service = new ServiceHost(typeof(SecureService));
            service.AddServiceEndpoint(typeof(ISecureService), GetBinding(), serviceUri);
            service.Authorization.PrincipalPermissionMode = PrincipalPermissionMode.UseAspNetRoles;
            service.Open();

            EndpointAddress sr = new EndpointAddress(
                serviceUri, EndpointIdentity.CreateUpnIdentity(WindowsIdentity.GetCurrent().Name));
            ChannelFactory<ISecureService> cf = new ChannelFactory<ISecureService>(GetBinding(), sr);
            ISecureService client = cf.CreateChannel();
            Console.WriteLine("Client received response from Method1: {0}", client.Method1());
            ((IChannel)client).Close();
            Console.ReadLine();
            service.Close();
            
        }

        public static Binding GetBinding()
        {
            WSHttpBinding binding = new WSHttpBinding(SecurityMode.Message);
            binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
            return binding;
        }
    }
}
Namespace TestPrincipalPermission
    Friend Class PrincipalPermissionModeWindows

        <ServiceContract> _
        Private Interface ISecureService
            <OperationContract> _
            Function Method1() As String
        End Interface

        Private Class SecureService
            Implements ISecureService
            <PrincipalPermission(SecurityAction.Demand, Role:="everyone")> _
            Public Function Method1() As String Implements ISecureService.Method1
                Return String.Format("Hello, ""{0}""", Thread.CurrentPrincipal.Identity.Name)
            End Function

        End Class

        Public Sub Run()
            Dim serviceUri As New Uri("http://localhost:8006/Service")
            Dim service As New ServiceHost(GetType(SecureService))
            service.AddServiceEndpoint(GetType(ISecureService), GetBinding(), serviceUri)
            service.Authorization.PrincipalPermissionMode = PrincipalPermissionMode.UseAspNetRoles
            service.Open()

            Dim sr As New EndpointAddress(serviceUri, EndpointIdentity.CreateUpnIdentity(WindowsIdentity.GetCurrent().Name))
            Dim cf As New ChannelFactory(Of ISecureService)(GetBinding(), sr)
            Dim client As ISecureService = cf.CreateChannel()
            Console.WriteLine("Client received response from Method1: {0}", client.Method1())
            CType(client, IChannel).Close()
            Console.ReadLine()
            service.Close()

        End Sub

        Public Shared Function GetBinding() As Binding
            Dim binding As New WSHttpBinding(SecurityMode.Message)
            binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows
            Return binding
        End Function
    End Class
End Namespace

En el ejemplo siguiente se muestra cómo especificar Custom.The following example shows how to specify Custom.

namespace CustomMode
{
    public class Test
    {
        public static void Main()
        {
            try
            {
                ShowPrincipalPermissionModeCustom ppwm = new ShowPrincipalPermissionModeCustom();
                ppwm.Run();

            }
            catch (Exception exc)
            {
                Console.WriteLine("Error: {0}", exc.Message);
                Console.ReadLine();
            }
        }
    }

    class ShowPrincipalPermissionModeCustom
    {
        [ServiceContract]
        interface ISecureService
        {
            [OperationContract]
            string Method1(string request);
        }

        [ServiceBehavior]
        class SecureService : ISecureService
        {
            [PrincipalPermission(SecurityAction.Demand, Role = "everyone")]
            public string Method1(string request)
            {
                return String.Format("Hello, \"{0}\"", Thread.CurrentPrincipal.Identity.Name);
            }
        }

        public void Run()
        {
            Uri serviceUri = new Uri(@"http://localhost:8006/Service");
            ServiceHost service = new ServiceHost(typeof(SecureService));
            service.AddServiceEndpoint(typeof(ISecureService), GetBinding(), serviceUri);
            List<IAuthorizationPolicy> policies = new List<IAuthorizationPolicy>();
            policies.Add(new CustomAuthorizationPolicy());
            service.Authorization.ExternalAuthorizationPolicies = policies.AsReadOnly();
            service.Authorization.PrincipalPermissionMode = PrincipalPermissionMode.Custom;
            service.Open();

            EndpointAddress sr = new EndpointAddress(
                serviceUri, EndpointIdentity.CreateUpnIdentity(WindowsIdentity.GetCurrent().Name));
            ChannelFactory<ISecureService> cf = new ChannelFactory<ISecureService>(GetBinding(), sr);
            ISecureService client = cf.CreateChannel();
            Console.WriteLine("Client received response from Method1: {0}", client.Method1("hello"));
            ((IChannel)client).Close();
            Console.ReadLine();
            service.Close();            
        }

        public static Binding GetBinding()
        {
            WSHttpBinding binding = new WSHttpBinding(SecurityMode.Message);
            binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
            return binding;
        }

        class CustomAuthorizationPolicy : IAuthorizationPolicy
        {
            string id = Guid.NewGuid().ToString();

            public string Id
            {
                get { return this.id; }
            }

            public ClaimSet Issuer
            {
                get { return ClaimSet.System; }
            }

            public bool Evaluate(EvaluationContext context, ref object state)
            {
                object obj;
                if (!context.Properties.TryGetValue("Identities", out obj))
                    return false;

                IList<IIdentity> identities = obj as IList<IIdentity>;
                if (obj == null || identities.Count <= 0)
                    return false;

                context.Properties["Principal"] = new CustomPrincipal(identities[0]);
                return true;
            }
        }

        class CustomPrincipal : IPrincipal
        {
            IIdentity identity;
            public CustomPrincipal(IIdentity identity)
            {
                this.identity = identity;
            }

            public IIdentity Identity
            {
                get { return this.identity; }
            }

            public bool IsInRole(string role)
            {
                return true;
            }
        }
    }
}
Namespace CustomMode
    Public Class Test
        Public Shared Sub Main()
            Try
                Dim ppwm As New ShowPrincipalPermissionModeCustom()
                ppwm.Run()

            Catch exc As Exception
                Console.WriteLine("Error: {0}", exc.Message)
                Console.ReadLine()
            End Try
        End Sub
    End Class

    Friend Class ShowPrincipalPermissionModeCustom
        <ServiceContract> _
        Private Interface ISecureService
            <OperationContract> _
            Function Method1(ByVal request As String) As String
        End Interface

        <ServiceBehavior> _
        Private Class SecureService
            Implements ISecureService
            <PrincipalPermission(SecurityAction.Demand, Role:="everyone")> _
            Public Function Method1(ByVal request As String) As String Implements ISecureService.Method1
                Return String.Format("Hello, ""{0}""", Thread.CurrentPrincipal.Identity.Name)
            End Function
        End Class

        Public Sub Run()
            Dim serviceUri As New Uri("http://localhost:8006/Service")
            Dim service As New ServiceHost(GetType(SecureService))
            service.AddServiceEndpoint(GetType(ISecureService), GetBinding(), serviceUri)
            Dim policies As New List(Of IAuthorizationPolicy)()
            policies.Add(New CustomAuthorizationPolicy())
            service.Authorization.ExternalAuthorizationPolicies = policies.AsReadOnly()
            service.Authorization.PrincipalPermissionMode = PrincipalPermissionMode.Custom
            service.Open()

            Dim sr As New EndpointAddress(serviceUri, EndpointIdentity.CreateUpnIdentity(WindowsIdentity.GetCurrent().Name))
            Dim cf As New ChannelFactory(Of ISecureService)(GetBinding(), sr)
            Dim client As ISecureService = cf.CreateChannel()
            Console.WriteLine("Client received response from Method1: {0}", client.Method1("hello"))
            CType(client, IChannel).Close()
            Console.ReadLine()
            service.Close()
        End Sub

        Public Shared Function GetBinding() As Binding
            Dim binding As New WSHttpBinding(SecurityMode.Message)
            binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows
            Return binding
        End Function

        Private Class CustomAuthorizationPolicy
            Implements IAuthorizationPolicy
            Private id_Renamed As String = Guid.NewGuid().ToString()

            Public ReadOnly Property Id() As String Implements System.IdentityModel.Policy.IAuthorizationComponent.Id
                Get
                    Return Me.id_Renamed
                End Get
            End Property

            Public ReadOnly Property Issuer() As ClaimSet Implements IAuthorizationPolicy.Issuer
                Get
                    Return ClaimSet.System
                End Get
            End Property

            Public Function Evaluate(ByVal context As EvaluationContext, ByRef state As Object) As Boolean Implements IAuthorizationPolicy.Evaluate
                Dim obj As Object = Nothing
                If (Not context.Properties.TryGetValue("Identities", obj)) Then
                    Return False
                End If

                Dim identities As IList(Of IIdentity) = TryCast(obj, IList(Of IIdentity))
                If obj Is Nothing OrElse identities.Count <= 0 Then
                    Return False
                End If

                context.Properties("Principal") = New CustomPrincipal(identities(0))
                Return True
            End Function
        End Class

        Private Class CustomPrincipal
            Implements IPrincipal
            Private identity_Renamed As IIdentity
            Public Sub New(ByVal identity As IIdentity)
                Me.identity_Renamed = identity
            End Sub

            Public ReadOnly Property Identity() As IIdentity Implements IPrincipal.Identity
                Get
                    Return Me.identity_Renamed
                End Get
            End Property

            Public Function IsInRole(ByVal role As String) As Boolean Implements IPrincipal.IsInRole
                Return True
            End Function
        End Class
    End Class
End Namespace

Comentarios

Al aplicar PrincipalPermissionAttribute a un método, este modo especifica qué conjunto de funciones se utiliza para autorizar el acceso.When applying the PrincipalPermissionAttribute to a method, this mode specifies which set of roles to use when authorizing access. De forma predeterminada, el atributo utiliza los grupos de Windows (como Administrator o Users) para especificar la función a la que debe pertenecer el usuario.By default, the attribute uses Windows groups (such as Administrator or Users) to specify the role to which the user must belong.

Para establecer mediante programación el modo, cree una instancia de la clase ServiceHost, a continuación, busque ServiceAuthorizationBehavior en su colección de comportamientos y establezca PrincipalPermissionMode en la enumeración adecuada.To set the mode programmatically, create an instance of the ServiceHost class, then find the ServiceAuthorizationBehavior in its collection of behaviors, and set the PrincipalPermissionMode to the appropriate enumeration. En el ejemplo siguiente se establece la propiedad en UseAspNetRoles.The following example sets the property to UseAspNetRoles.

ServiceHost myServiceHost = new ServiceHost(typeof(Calculator), baseUri);
ServiceAuthorizationBehavior myServiceBehavior =
    myServiceHost.Description.Behaviors.Find<ServiceAuthorizationBehavior>();
myServiceBehavior.PrincipalPermissionMode =
    PrincipalPermissionMode.UseAspNetRoles;
Dim myServiceHost As New ServiceHost(GetType(Calculator), baseUri)
Dim myServiceBehavior As ServiceAuthorizationBehavior = myServiceHost.Description.Behaviors.Find(Of ServiceAuthorizationBehavior)()
myServiceBehavior.PrincipalPermissionMode = PrincipalPermissionMode.UseAspNetRoles

También puede establecer el comportamiento en la configuración agregando un <serviceAuthorization> a los <serviceBehaviors> de un archivo de configuración, tal y como se muestra en el código siguiente.You can also set the behavior in configuration by adding a <serviceAuthorization> to the <serviceBehaviors> of a configuration file, as shown in the following code.

// Only a client authenticated with a valid certificate that has the 
// specified subject name and thumbprint can call this method.
[PrincipalPermission(SecurityAction.Demand,
     Name = "CN=ReplaceWithSubjectName; 123456712345677E8E230FDE624F841B1CE9D41E")]
public double Multiply(double a, double b)
{
    return a * b;
}
' Only a client authenticated with a valid certificate that has the 
' specified subject name and thumbprint can call this method.
<PrincipalPermission(SecurityAction.Demand, Name := "CN=ReplaceWithSubjectName; 123456712345677E8E230FDE624F841B1CE9D41E")> _
Public Function Multiply(ByVal a As Double, ByVal b As Double) As Double
    Return a * b
End Function

La enumeración afecta a cómo el atributo PrincipalPermissionAttribute autoriza a un usuario cuando se aplica a un método.The enumeration affects how the PrincipalPermissionAttribute attribute authorizes a user when it is applied to a method. El ejemplo siguiente aplica el atributo a un método y exige que el usuario pertenezca al grupo Usuarios del equipo.The following example applies the attribute to a method and demands that the user belong to the Users group on the computer. Este código sólo funcionará cuando PrincipalPermissionMode se establece en UseWindowsGroup (el valor predeterminado).This code works only when the PrincipalPermissionMode is set to UseWindowsGroup (the default setting).

// Only members of the CalculatorClients group can call this method.
[PrincipalPermission(SecurityAction.Demand, Role = "Users")]
public double Add(double a, double b)
{
    return a + b;
}
' Only members of the CalculatorClients group can call this method.
<PrincipalPermission(SecurityAction.Demand, Role := "Users")> _
Public Function Add(ByVal a As Double, ByVal b As Double) As Double
    Return a + b
End Function

UseAspNetRolesUseAspNetRoles

El valor UseAspNetRoles se usa para todos los tipos de credenciales.The UseAspNetRoles value is used for all credential types. Este modo permite a Windows Communication Foundation (WCF) usar el proveedor de roles ASP.NET para tomar decisiones de autorización.This mode enables Windows Communication Foundation (WCF) to use the ASP.NET role provider to make authorization decisions.

Cuando la credencial de un servicio es un certificado X.509, puede establecer la propiedad Name de PrincipalPermissionAttribute en una cadena compuesta de valores concatenados del campo Asunto y el campo Huella digital, tal y como muestra el ejemplo siguiente.When the credential for a service is an X.509 certificate, you can set the Name property of the PrincipalPermissionAttribute to a string that consists of the concatenated values of the Subject field and the Thumbprint field, as shown in the following example.

ServiceHost myServiceHost = new ServiceHost(typeof(Calculator), baseUri);
ServiceAuthorizationBehavior myServiceBehavior =
    myServiceHost.Description.Behaviors.Find<ServiceAuthorizationBehavior>();
myServiceBehavior.PrincipalPermissionMode =
    PrincipalPermissionMode.UseAspNetRoles;
MyServiceAuthorizationManager sm = new MyServiceAuthorizationManager();
myServiceBehavior.ServiceAuthorizationManager = sm;
Dim myServiceHost As New ServiceHost(GetType(Calculator), baseUri)
Dim myServiceBehavior As ServiceAuthorizationBehavior = myServiceHost.Description.Behaviors.Find(Of ServiceAuthorizationBehavior)()
myServiceBehavior.PrincipalPermissionMode = PrincipalPermissionMode.UseAspNetRoles
Dim sm As New MyServiceAuthorizationManager()
myServiceBehavior.ServiceAuthorizationManager = sm

La cadena concatenada está compuesta de los valores del asunto y la huella digital separados por un punto y coma y un espacio.The concatenated string consists of the subject and thumbprint values separated by a semicolon and a space.

También es posible que un certificado tenga un conjunto de campos Asunto con una cadena nula.It is also possible for a certificate to have a Subject field set to a null string. En ese caso, puede establecer la propiedad Name en un punto y coma seguido por un espacio y, a continuación, la huella digital; como se muestra en el ejemplo siguiente.In that case, you can set the Name property to a semicolon followed by a space and then the thumbprint, as shown in the following example.

// Only a client authenticated with a valid certificate that has the 
// specified thumbprint can call this method.
[PrincipalPermission(SecurityAction.Demand,
     Name = "; 123456712345677E8E230FDE624F841B1CE9D41E")]
public double Divide(double a, double b)
{
    return a * b;
}
' Only a client authenticated with a valid certificate that has the 
' specified thumbprint can call this method.
<PrincipalPermission(SecurityAction.Demand, Name := "; 123456712345677E8E230FDE624F841B1CE9D41E")> _
Public Function Divide(ByVal a As Double, ByVal b As Double) As Double
    Return a * b
End Function

Si un proveedor de funciones de ASP.NET está presente, también puede establecer la propiedad Role en una función en la base de datos.If an ASP.NET role provider is present, you can also set the Role property to a role in the database. De manera predeterminada, la base de datos está representada por SqlRoleProvider.By default, the database is represented by the SqlRoleProvider. También puede establecer un proveedor de funciones personalizado con la propiedad RoleProvider de la clase ServiceAuthorizationBehavior.You can also set a custom role provider with the RoleProvider property of the ServiceAuthorizationBehavior class. El siguiente código establece la función en Administrators.The following code sets the role to Administrators. Tenga en cuenta que el proveedor de funciones debe asignar la cuenta de usuario a esa función.Note that the role provider must map the user account to that role.

[PrincipalPermission(SecurityAction.Demand, Role = "Administrators")]
public string ReadFile(string fileName)
{
    // Code not shown.
    return "Not implemented";
}
<PrincipalPermission(SecurityAction.Demand, Role := "Administrators")> _
Public Function ReadFile(ByVal fileName As String) As String
    ' Code not shown.
    Return "Not implemented"
End Function

Para obtener más información acerca del proveedor de roles ASP.net , consulte Cómo: Use el administrador de roles enASP.net 2,0.For more information about the ASP.NET Role provider, see How To: Use Role Manager in ASP.NET 2.0.

Para obtener más información sobre el uso de WCF y el proveedor de roles, consulte Cómo: Usar el proveedor de roles ASP.NET con unservicio.For more information about using WCF and the role provider, see How to: Use the ASP.NET Role Provider with a Service.

PersonalizadosCustom

Cuando la propiedad se establece en Custom, también debe proporcionar una clase personalizada que implemente la IAuthorizationPolicy clase.When the property is set to Custom, you must also provide a custom class that implements the IAuthorizationPolicy class. Esta clase es responsable de proporcionar la representación del objeto de IPrincipal del autor de la llamada dentro de la colección Properties.This class is responsible for providing the caller's IPrincipal representation inside the Properties collection. Debe almacenar la instancia IPrincipal en la colección de propiedades utilizando la clave de cadena "Principal", como se muestra en el ejemplo siguiente.It must store the IPrincipal instance to the properties collection using the "Principal" string key, as shown in the following example.

evaluationContext.Properties["Principal"]=new CustomPrincipal(identity);  

FondoBackground

La seguridad basada en funciones en .NET Framework.NET Framework permite a las aplicaciones especificar autorizaciones mediante código.The role-based security in .NET Framework.NET Framework enables applications to specify authorizations through code. Al especificar la demanda PrincipalPermission, CurrentPrincipal debe satisfacer el requisito PrincipalPermission.By specifying the PrincipalPermission demand, the CurrentPrincipal must satisfy the PrincipalPermission requirement. Por ejemplo, el usuario debe estar en una función o grupo específico.For example, that the user must be in a specific role or group. De lo contrario, el subproceso no está autorizado a ejecutar el código, lo que produce una excepción.Otherwise, the thread is not authorized to execute the code, which results in an exception. WCF proporciona un conjunto de PrincipalPermissionMode selecciones para especificar el CurrentPrincipal según SecurityContext corresponda.WCF provides a set of PrincipalPermissionMode selections to specify the CurrentPrincipal based on SecurityContext accordingly.

Se aplica a