Unable to load file or assembly 'Microsoft.Interop.Security.AzRoles...

Topics: Security Application Block
Jul 11, 2007 at 4:14 AM
I'm facing a problem when I try to verify an authorization under AzMan thru EntLib 3.0.

My xml configuration for the application block is:

<securityConfiguration defaultAuthorizationInstance="" defaultSecurityCacheInstance="">
<authorizationProviders>
<add storeLocation="msxml://c:/temp/myfile.xml"
application="myApp" scope="" auditIdentifierPrefix="AzMan Authorization Provider"
type="Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider, Microsoft.Practices.EnterpriseLibrary.Security.AzMan, Version=3.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
name="myAzMan" />
</authorizationProviders>
</securityConfiguration>

but, when I tried to check using the code below:

Dim principal As IPrincipal = New WindowsPrincipal(WindowsIdentity.GetCurrent())

Dim ruleProvider As IAuthorizationProvider = AuthorizationFactory.GetAuthorizationProvider("myAzMan")

Dim authorized As Boolean = ruleProvider.Authorize(principal, "SomeThing")

The following error appears:

"Unable to load file or assembly 'Microsoft.Interop.Security.AzRoles, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' ou uma de suas dependências. O sistema não pode encontrar o arquivo especificado.":"Microsoft.Interop.Sec...

Does anyone knows what am I missing? I'm not new to app blocks but I'm new to version 3.0, so I might be doing something or somethings wrong...

See ya!@!
Jul 11, 2007 at 1:05 PM
Hi,

You need to install the AZMan assemblies. You can read the instructions on how to install them from http://msdn2.microsoft.com/en-us/library/ms998336.aspx#paght000019_rtf%20formatting_step1.

Fernando
Jul 12, 2007 at 4:25 AM
Thank you Fernando!!

I just downloaded the Windows 2000 AzMan Runtime on and followed tha instructions on getting the dll from the PIA directory and put it on GAC.

Now that validation per role has worked, I want know if validation per oration is supported cause' I use this kind of validation os some systems .

See ya!@! and thank you again!!!
Jul 12, 2007 at 1:40 PM
Edited Jul 12, 2007 at 4:15 PM
Hi chila,

It's great you could make it work. This AZMan configuration is a bit obscure.

I don't understand what you mean with "validation per oration" (I'm not really an AZMan expert). The authorization API is pretty narrow though, consisting of just the bool Authorize(IPrincipal principal, string context) method, so if what you need does not fit this method signature I guess you're out of luck.
Can you please clarify your scenario?

Thanks,
Fernando
Jul 12, 2007 at 4:22 PM
Fernando, sorry, I mispelled the words... I was wondering if there is a built method to verify an operation instead of just a Role.

I say this 'cause on some systems I check only for roles e on other (more dynamic ones) I just check the operations...

Well, if it isn't possible, I will rewrote the Security App Block to add this and after that I share the new security one on ContrLib. Just for you knowledge, using AzMan, I check an operation using the following method:

IAzClientContext.AccessCheck

See ya!@!
Jul 12, 2007 at 5:12 PM
Hi chila,

You can perform per operation validation by supplying the operation name in the context parameter, prefixed by "O:".

Hope this helps,
Feranndo
Jul 13, 2007 at 3:03 AM
Bravo Fernando!!

Worked fine and faster. Previously, I was performing these checks, but it was so slow, now, it's really fast. I'm testing using a XML but tomorrow I'll test under real condictions, accessing AzMan stored on AD. Any news I'll tell here.

See ya and thank you very much!

Chilá!@!
Aug 21, 2007 at 2:49 PM
But Does Authorize method also require prefix for Role authorization just like O: for operation?
Aug 21, 2007 at 2:57 PM
Hi,

Can you provide more information about your question?

The O: prefiex needs to be added to context paramter to indicate it's an operation, and not a task, what needs to ve authorized. AFAIK tasks and operations are the only things that can be authorized with the AzMan provider; I would expect role based authorization to be performed by AzMan.

Regards,
Fernando
Aug 21, 2007 at 4:24 PM
Thanks.
Here is further info.
Task Authorization:
bFlag=ruleProvider.Authorize(principal, "MyTask");
Operation Authorization:
Task Authorization:
bFlag=ruleProvider.Authorize(principal, string.Format("O:{0}", "MyOp"));
Role Authorization:
????? Should i useAuthorize Method or something else for Role???

Thanks
Aug 21, 2007 at 6:23 PM
Hi,

I don't understand where a role would fit in this API. You're asking whether a principal is authorized to perform an operation, there is no role involved.

If you mean to determine whether a principal belongs to a Role, you would ASP.NET's role provider; please see the security quick start for details.

Regards,
Fernando
Sep 6, 2007 at 5:45 PM
Hi,
Can i use relative path like
<add storeLocation="msxml://../myfile.xml" ???

My exe is in C:/MyApp/Bin/MyApp.exe
My xml is in c:/MyApp/Storage/myfile.xml

But when i write relative path, authorization stops working.

Any idea?

Thanks,
sha
Sep 6, 2007 at 6:44 PM
Hi,

I'd recommend you deploy your store file under your app's parth instead of using a sibling folder. The AzMan provider supports a {currentPath} token that you can use in your location path, and it gets replaced by the app's current folder before loading the store. You can look at the AzMan unit tests' config file for an example.

Bye,
Fernando
Sep 7, 2007 at 4:03 PM
Thanks!
Lets take a scenario.
I implemented webclient which will communicate with my WCF web service.
Offcourse for security reason i dont want to expose my xml on client side (means web client).
But the problem is that "storeLocation=" requires xml path.
Is there any work around where storeLocation point out WCF webservice?

Any idea!

sha
Sep 7, 2007 at 4:28 PM
Hi sha,

I'm not sure I understand; do you have a web service published by an exe application or is it part of a web application? Anyway, in both cases you should be able to avoid making files available to a client: the stand alone app will just listen for the web service requests, and files in the bin folder of a web app will not be served by a web server.

Fernando
Sep 7, 2007 at 4:46 PM
True.
My web service is a web application and i dont want to write xml path in my web client application.
Since, i used Injection Block on my web application so what will be in "storeLocation"???
<add storeLocation="???weblink or web method???"

Thanks,
sha
Sep 7, 2007 at 5:29 PM
Hi,

What I don't understand is why you would need to write the path to the xml store file used by your web app in the configuration for your web client.

If your web app users policy injection and the security block, the store file will be deployed with your web application to a location that is not accessible by clients, and its configuration file (the web app's, that is) will point to that (local, as viewed by the web app) path in the configuration for the AzMan provider.

Fernando
Sep 10, 2007 at 4:48 PM
Thanks.
I should rephrase it.

My client application(thin /rich app) resides on cient side.

It will call WCF webservice which is on server.
WCF service has been configured to communicate with xml(on server) using its web.config file.
But WCF raise exception on AuthorizationFactory.GetAuthorizationProvider.

How to resolve it? Izit wrong to use Security Application block in WCF?
Also, im using AzMan Provider for Security Application block.

sha
Sep 10, 2007 at 9:20 PM
Hi,

I still don't understand how we got here from the original question about relative locations for the azman store file breaking the AzMan provider :)

Anyway, you should be able to use the security block with your WCF service. You will probably need to use some mechanism to manage the principals you will use for authentication.
Using the security block is an implementation detail of your service that you shouldn't expose to the client, so if you get an exception when using the block you should manage it in the service implementation and eventually raise a new service exception (and try to solve the problem that caused the exception).

Just my .02,
Fernando
Sep 17, 2007 at 6:56 PM
Thanks for urs answers.
Everything is set and working well.

Now i have another question?
I dont want to use svcutil.exe. Instead of it, want to use .Net library.
Can I create contract for the client JUST like Svcutil.exe?

Thanks,
sha
Sep 18, 2007 at 1:43 PM
Hi,

That's something you can ask here http://forums.microsoft.com/msdn/showforum.aspx?forumid=118&siteid=1.

Regards,
Fernando
Sep 18, 2007 at 3:48 PM
Thanks alot
Nov 2, 2007 at 4:08 PM
Edited Nov 2, 2007 at 4:10 PM
I've place the {currentPath} token in the storagelocation attribute but I receive a FileNotFound exception.

Tokenized: msxml://{currentPath}/azman.xml
Full path: msxml://full_path/azman.xml

It works properly with the full path.

I have the azman.xml file in my application root folder.

FileNotFoundException: The system cannot find the file specified. (Exception from HRESULT: 0x80070002)
Microsoft.Interop.Security.AzRoles.AzAuthorizationStoreClass.Initialize(Int32 lFlags, String bstrPolicyURL, Object varReserved) +0
Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.GetClientContext(WindowsIdentity identity, String applicationName, IAzApplication& azApp) +75
Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.CheckAccessTasks(String auditIdentifier, WindowsIdentity identity, String[] tasks) +74
Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.Authorize(IPrincipal principal, String context) +311
Default.PageLoad(Object sender, EventArgs e) in Default.aspx.cs:24
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +15
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +34
System.Web.UI.Control.OnLoad(EventArgs e) +99
System.Web.UI.Control.LoadRecursive() +47
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1061
Nov 2, 2007 at 4:14 PM
After digging through the azman code, I see it is calling: Directory.GetCurrentDirectory() to replace the {currentPath} token.

When I run this from my ASPX code I receive: C:/WINNT/system32 instead of what I thought would be my application's root folder.
Nov 2, 2007 at 5:23 PM
Hi,

Should be using the app domain's base folder instead. Logging as a defect.


Greif wrote:
After digging through the azman code, I see it is calling: Directory.GetCurrentDirectory() to replace the {currentPath} token.

When I run this from my ASPX code I receive: C:/WINNT/system32 instead of what I thought would be my application's root folder.

Nov 2, 2007 at 5:24 PM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.
Dec 14, 2007 at 3:49 PM
I want to determine whether a principal belongs to a Role defined within my AzManStore in ADAM. I've tried using ASP.NET's role provider, but I can't seem to get it working.

I would have thought that the EntLib would provide this functionality in AzMan.AzManAuthorizationProvider. Perhaps a adding a role check method?
Dec 17, 2007 at 12:49 PM
Hi,

This method really belongs into a Role provider; different authorization logic implementations may not rely on roles.
What was the problem with ASP.NET's role provider?

Fernando


Greif wrote:
I want to determine whether a principal belongs to a Role defined within my AzManStore in ADAM. I've tried using ASP.NET's role provider, but I can't seem to get it working.

I would have thought that the EntLib would provide this functionality in AzMan.AzManAuthorizationProvider. Perhaps a adding a role check method?

Dec 18, 2007 at 4:57 AM
Edited Dec 18, 2007 at 4:58 AM
I can't get the ASP.NET role provider to work with the roles in my AzManStore within ADAM.

I've already posted on MSDN but no replies yet... http://msdn.microsoft.com/newsgroups/managed/default.aspx?dg=microsoft.public.adsi.general&tid=a5333eac-d5d9-424c-b3e2-144f9044b61d&p=1
Dec 18, 2007 at 12:08 PM
Based on your followup post on that thread it doesn't look like having this functionality implemented in EntLib would have helped, as you would still need the appropriate permissions...

Can you please post about the resolution of this issue when it happens, so others can benefit from it?

Thanks,
Fernando
Dec 18, 2007 at 12:31 PM
That's the weird part. I am able to authorize users agains tasks and operations defined in my AzManStore using EntLIb. So I thought the ASP.NET Role Provider would work seamlessly. I think I am missing a small piece somewhere.