Code is ignoring PrincipalPermission attribute?

Question

I have a Delete method on all my business objects that has the PrincipalPermission attribute on it.

Example:

[PrincipalPermission(SecurityAction.Demand, Role = "Vendor Manager")]
        public static bool Delete(Vendor myVendor)
        {

            //do work here
        }

The problem is that it appears to be completely ignoring my PrincipalPermission. It lets anyone through, no matter what role they may be part of.

Is there something else I've forgotten to do? I have added the following to my Application's global.asax in the Application Startup section:

AppDomain.CurrentDomain.SetPrincipalPolicy(System.Security.Principal.PrincipalPolicy.WindowsPrincipal);

But that doesn't make any difference either.

I also just tried the following:

public static bool Delete(Vendor myVendor)
        {
            PrincipalPermission iPerm = new PrincipalPermission(null, "Vendor Manager");
            iPerm.Demand();

            //do work here
        }

and wouldn't ya know, this works just fine!.... any ideas on why it works one way but not the other?

Answer 1

Did you get an answer for this? I just tested this in my own application and it works pretty well. I'm specifically NOT adding

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);

And, I'm using Forms Authentication (ASP.NET Membership), MVC 2, .NET 3.5.

I did however discover if I decorate my class with the following my method decorations do not work.

[PrincipalPermission(SecurityAction.Demand, Authenticated = true)]

Answer 2

Only one observation for any people that says that sample does not work. Check the name for the role according with your local culture. For example, if you resides in Mexico, you must to use: @"BUILTIN\Administradores" instead of @"BUILTIN\Administrators".

Answer 3

Have you validated that the Windows principal doesn't happen to have the permission you're requiring? Something like this (modified from here) -- I would think -- should mimic that behavior and allow you to step through. It should indicate whether or not the permission is granted.

If this passes, then I would expect the attribute to pass on through as well. If this fails, but the attribute passes through, then I'm as stumped as you are.

static void Main(string[] args)
{
    AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
    PrincipalPermission principalPerm = new PrincipalPermission(null, "Vendor Manager");
    try
    {
        principalPerm.Demand();
        Console.WriteLine("Demand succeeded.");
    }
    catch (Exception secEx)
    {
        Console.WriteLine("Demand failed.");
    }
    Console.ReadLine();
}