IPrincipal.IsInRole() 仅当我截断角色名称时才有效 - 为什么?
我有一个严重依赖用户授权的应用程序。在其中,我使用 IPrincipal.IsInRole() 来检查用户是否位于正确的组中:
IPrincipal principal = Thread.CurrentPrincipal;
bool inRole = principal.IsInRole("mydomainname\some role with a long name");
这在大多数情况下工作正常,但如果主体是实例,则会失败(返回错误的结果) WindowsPrincipal 的。我发现要使其正常工作,我必须将传入的角色名称截断为 32 个字符长(包括域名和 \)
IPrincipal principal = Thread.CurrentPrincipal; // <- returns a WindowsPrincipal
bool inRole = principal.IsInRole("mydomainname\some role with a lo");
:工作正常。为什么?这是错误/功能/记录的问题吗?我预感到它可能与 Win2000 域有关,但找不到任何相关信息。
<子> 一些额外信息:
这是一个问题,因为应用程序可以配置为使用活动目录或“自定义”进行授权(“自定义”是支持接口的任何授权提供程序 - 可以是基于 SQL、基于文件等)。配置自定义后,角色很可能不需要截断,因此我不想在代码中处理这种特殊情况。此外,应用程序的另一部分使用 System.DirectoryServices.AccountManagement 命名空间中的类来查找组成员身份。这需要完整的角色名称,如果被截断则不起作用。
I have an application that relies heavily on authorization of users. Within it, I am using IPrincipal.IsInRole() to check whether users are in the correct groups:
IPrincipal principal = Thread.CurrentPrincipal;
bool inRole = principal.IsInRole("mydomainname\some role with a long name");
This works fine for the most part, but fails (returns an incorrect result) if the principal is an instance of a WindowsPrincipal. I have found that to make it work correctly, I have to truncate the name of the role that I pass in to be 32 characters long (including the domain name and the \):
IPrincipal principal = Thread.CurrentPrincipal; // <- returns a WindowsPrincipal
bool inRole = principal.IsInRole("mydomainname\some role with a lo");
Truncating the role name then works correctly. Why? Is this a bug/feature/documented issue? I have an inkling that it may be related to Win2000 domains, but cannot find any info on it.
Some extra info:
This is a problem because the application can be configured to use either active directory or "custom" for its authorization ("custom" being any authorization provider that supports an interface - could be SQL-based, file-based, etc..). When custom is configured, the roles most likely do not need truncating and so I don't want to have to deal with this special case in my code. Additionally, I have another part of the application that uses classes in the System.DirectoryServices.AccountManagement namespace to look up groups memberships. This requires the full role name and does not work if they are truncated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
经过多次尝试和错误,我已经弄清楚发生了什么。
在 Active Directory 中创建组时,它会被赋予两个名称:
似乎是 WindowsPrincipal当调用
IsInRole时,使用 Windows 2000 之前的组名称。经过广泛搜索后,这似乎没有任何记录。我得到的最接近的是这个推测性答案,这里有一个类似的问题。
就我而言,我在域上查询的组的名称很长,但 Windows 2000 之前的名称被截断(由于某种原因被截断为 32 个字符)。传递长名称不起作用,因为它正在检查错误的组名称。
After much trial and error, I have figured out what is going on.
When a group is created in Active Directory, it is given two names:
It seems to be that WindowsPrincipal uses the pre-Windows 2000 group name when
IsInRoleis called.After searching extensively, this does not seem to be documented anywhere. The closest I got was this speculative answer to a similar question here on SO.
In my case, the groups I was querying against on the domain had a long name, but a truncated pre-Windows 2000 name (truncated to 32 characters for some reason). Passing in the long name does not work as it was checking against the wrong group name.