Problems with Security Block and AzMan

Topics: Security Application Block
Aug 28, 2007 at 8:51 AM
Hi!

What i'm trying to do is to add nodes to the sitemap, using rules. It looks like this:

SiteMapNodeInfo moduleNode2 = new SiteMapNodeInfo("NewsManager", "~/News/NewsManager.aspx", "ManageNews");
_siteMapBuilderService.AddNode(moduleNode2,"NodesRule");

The rule looks like R:Administrators

So i want the node to be visible only if the user is an Administrator.

The result i get looks like that:

Server Error in '/DevelopmentWebsite' Application.
--------------------------------------------------------------------------------

Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Runtime.InteropServices.COMException: Element not found. (Exception from HRESULT: 0x80070490)

Source Error:


No relevant source lines


Source File: c:\Temp\Temporary ASP.NET Files\developmentwebsite\0e456c0e\93a6e4e7\AppWeboetwynui.0.cs Line: 0

Stack Trace:

COMException (0x80070490): Element not found. (Exception from HRESULT: 0x80070490)
Microsoft.Interop.Security.AzRoles.IAzApplication.OpenTask(String bstrTaskName, Object varReserved) +0
Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.GetTaskOperations(IAzApplication azApp, String[] tasks) +204
Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.CheckAccessTasks(String auditIdentifier, WindowsIdentity identity, String[] tasks) +91

SecurityException: Element not found. (Exception from HRESULT: 0x80070490)
Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.CheckAccessTasks(String auditIdentifier, WindowsIdentity identity, String[] tasks) +272
Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.Authorize(IPrincipal principal, String context) +311
Microsoft.Practices.CompositeWeb.EnterpriseLibrary.Services.EnterpriseLibraryAuthorizationService.IsAuthorized(String context) +36
Microsoft.Practices.CompositeWeb.Providers.ModuleSiteMapProvider.IsAccessibleToUser(SiteMapNode node) +65
Microsoft.Practices.CompositeWeb.Providers.ModuleSiteMapProvider.IsAccessibleToUser(HttpContext context, SiteMapNode node) +11
System.Web.SiteMapNode.IsAccessibleToUser(HttpContext context) +14
System.Web.StaticSiteMapProvider.GetChildNodes(SiteMapNode node) +348
System.Web.SiteMapNode.get_ChildNodes() +23
System.Web.UI.WebControls.SiteMapDataSource.GetNodes() +363
System.Web.UI.WebControls.SiteMapDataSource.GetTreeView(String viewPath) +32
System.Web.UI.WebControls.SiteMapDataSource.GetHierarchicalView(String viewPath) +29
System.Web.UI.HierarchicalDataSourceControl.System.Web.UI.IHierarchicalDataSource.GetHierarchicalView(String viewPath) +7
System.Web.UI.WebControls.HierarchicalDataBoundControl.GetData(String viewPath) +22
System.Web.UI.WebControls.TreeView.DataBindNode(TreeNode node) +73
System.Web.UI.WebControls.TreeView.PerformDataBinding() +305
System.Web.UI.WebControls.HierarchicalDataBoundControl.PerformSelect() +82
System.Web.UI.WebControls.BaseDataBoundControl.DataBind() +70
System.Web.UI.WebControls.TreeView.DataBind() +4
System.Web.UI.WebControls.BaseDataBoundControl.EnsureDataBound() +82
System.Web.UI.WebControls.TreeView.OnPreRender(EventArgs e) +43
System.Web.UI.Control.PreRenderRecursiveInternal() +77
System.Web.UI.Control.PreRenderRecursiveInternal() +161
System.Web.UI.Control.PreRenderRecursiveInternal() +161
System.Web.UI.Control.PreRenderRecursiveInternal() +161
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6978
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +213
System.Web.UI.Page.ProcessRequest() +86
System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +18
System.Web.UI.Page.ProcessRequest(HttpContext context) +49
ASP.newsdefaultaspx.ProcessRequest(HttpContext context) in c:\Temp\Temporary ASP.NET Files\developmentwebsite\0e456c0e\93a6e4e7\AppWeboetwynui.0.cs:0
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +303
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64
--------------------------------------------------------------------------------------------------------------------------------------------

I have tried quite a few things to fix that, including adding security classes and IPermissions to the web.config and granting full access to directory where the azman store resides to the ASPNET apllication. I really don't know what to do anymore.

If i don't use the rule, authorization works fine. But i don't know how to add the node.

Does anybody know how to fix this or is there a way to achieve the desired result in an alternative manner?

Aug 28, 2007 at 2:41 PM
Hi,

Please try what's described in this post http://forums.asp.net/t/1130866.aspx.

Regards,
Fernando
Aug 28, 2007 at 3:30 PM
Thank you for the reply.

But i'm not using ADAM, just the AzMan.



Aug 28, 2007 at 4:40 PM
Hi,

How did you author the xml store file? Open the store with AzMan.msc. If there is an error in the xml, the tool should tell you, which would be consistent with the typo correction described as the solution in the link above.

Regards,
Fernando
Aug 28, 2007 at 8:46 PM
I've created the xml store,roles and rules via AzMan.msc. The tool never told me anything about any errors. Therefore i'm confused.
Aug 29, 2007 at 3:30 AM
Is it possible some names in your code don't match the names in your store file? Changing the names in the unit test to something wrong results in a similar stack...
BTW, which EntLib version are you using?

Test method Microsoft.Practices.EnterpriseLibrary.Security.AzMan.Tests.AzManProviderFixture.AuthorizeTask threw exception: System.Security.SecurityException: Element not found. (Exception from HRESULT: 0x80070490) ---> System.Runtime.InteropServices.COMException: Element not found. (Exception from HRESULT: 0x80070490).

at Microsoft.Interop.Security.AzRoles.IAzApplication.OpenTask(String bstrTaskName, Object varReserved)
at Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.GetTaskOperations(IAzApplication azApp, String[] tasks) in D:\EntLib3Src31\App Blocks\Src\Security\AzMan\AzManAuthorizationProvider.cs:line 176
at Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.CheckAccessTasks(String auditIdentifier, WindowsIdentity identity, String[] tasks) in D:\EntLib3Src31\App Blocks\Src\Security\AzMan\AzManAuthorizationProvider.cs:line 131
--- End of inner exception stack trace ---
at Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.CheckAccessTasks(String auditIdentifier, WindowsIdentity identity, String[] tasks) in D:\EntLib3Src31\App Blocks\Src\Security\AzMan\AzManAuthorizationProvider.cs:line 152
at Microsoft.Practices.EnterpriseLibrary.Security.AzMan.AzManAuthorizationProvider.Authorize(IPrincipal principal, String context) in D:\EntLib3Src31\App Blocks\Src\Security\AzMan\AzManAuthorizationProvider.cs:line 109
at Microsoft.Practices.EnterpriseLibrary.Security.AzMan.Tests.AzManProviderFixture.AuthorizeTask() in D:\EntLib3Src31\App Blocks\UnitTests\Security\AzMan\AzManProviderFixture.cs:line 66


Fernando
Aug 29, 2007 at 9:41 AM
I'm using EnterpriseLibrary 3.1 and Web Client Software Factory June 2007

Well, i've double-checked the store file name, the rule's name, the application name, but no result. If i try to add nodes using the rule it gives me this error.

If i don't, then the authorization works just fine.
Aug 29, 2007 at 12:58 PM
Hi,

I'm confused: how does a rule like R:Administrators fit here? That seems to belong to the Rule provider. With AzMan, you validate for authorization for tasks and operations, and the fact that the principal belongs to a given role is defined within AzMan.

I'm not familiar with how the ISiteMapBuilderService, but I would expect the second parameter in the AddNode method to be the name of a "rule" to validate authorization. If you're using the AzMan provider, that "rule" would be the name of a task or an operation (if it starts with the "o:" prefix); if there is no such task or operation you would get the "element not found" error.

Just to make sure, you're configuring the ISiteMapBuilderService to use EntLib's AzMan provider to perform authorization, aren't you?

Fernando
Aug 29, 2007 at 2:28 PM


You're right. The problem was caused by the fact that i've used the name of a RuleProvider rule instead of an AzMan rule, just as you said.

Thank you for helping me out:)
Aug 29, 2007 at 2:46 PM
Phew... I'm glad this is working for you now.

However this brings up a couple of interesting points. The purpose of using EntLib's authorization providers, and all providers for that matter, is to allow your code to be independent of the underlying technology. In this case, this expectation was not fulfilled because of the way different provider implementations use the "context" parameter for the Authorize method: the rule provider uses it as a generic rule name, but the AzMan provider assumes it's a task or operation name. Writting implementation agnostic code would force the application code to authorize tasks, and not assume there are "rules" on the other side (or shoehorn AzMan's tasks into being rules, like having a "NodesRule").

In this case, it seems like "ManageNews" would be an appropriate task name, and could also be used as a rule name when using the rule provider.

Regards,
Fernando