[Mono-bugs] [Bug 82043][Nor] Changed - WebMethod and PrincipalPermission

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Sun Jul 15 09:10:46 EDT 2007

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by mmorano at mikeandwan.us.


--- shadow/82043	2007-07-13 05:54:21.000000000 -0400
+++ shadow/82043.tmp.2736	2007-07-15 09:10:46.000000000 -0400
@@ -1,12 +1,12 @@
 Bug#: 82043
 Product: Mono: Class Libraries
 Version: 1.2
 OS: unknown
 OS Details: 
-Status: NEEDINFO   
+Status: REOPENED   
 Severity: Unknown
 Priority: Normal
 Component: Sys.Web.Services
 AssignedTo: atsushi at ximian.com                            
 ReportedBy: mmorano at mikeandwan.us               
@@ -61,6 +61,66 @@
 ------- Additional Comments From atsushi at ximian.com  2007-07-13 05:54 -------
 > There also seem some traps that disables basic authentication
 > stuff, which may be happening with your setup.
 Oops, forgot to add a link for this:
+------- Additional Comments From mmorano at mikeandwan.us  2007-07-15 09:10 -------
+Sorry for not being so clear.  I am running this through xsp2, and
+have split the asmx and code files.  Below is a modified version of
+your test case which more closely resembles my setup:
+First is the asmx file.  This lives in a standard directory that can
+be referenced by the browser (not in a special asp.net directory such
+as app_code).
+-- ASMX FILE --
+<%@WebService Language="c#" Class="Bug82043" %>
+The .asmx.cs file lives in App_Code.  This file contains all the logic
+for the class.  This is working fine on my xsp2 instance:
+using System;
+using System.Security;
+using System.Security.Permissions;
+using System.Web;
+using System.Web.Services;
+using System.Web.Services.Protocols;
+public class Bug82043 : WebService
+        [WebMethod]
+        [PrincipalPermission(SecurityAction.Demand,
+Authenticated=true,  Role="admin")]
+        public bool Test(int x, int y)
+        {
+                return User.IsInRole("admin");
+        }
+As part of the website, I have enabled forms authentication, and am
+using a custom Membership and Role provider to provide authentication
+and authorization services.  That has been working fine for some time,
+and properly allows a user to log into my site and allow/deny access
+to various areas based on who they are.
+Given that the code above tries to apply a role level principal
+permission on the method, as I would expect the runtime to raise an
+exception here, as the user is not in the role at first.  However, it
+does get into the method, and then returns false as the user did not
+After logging in as an admin, the method is invoked and returns true.
+I might not be correctly understanding what you are getting at with
+the reference to the article.  I am running this on linux, and using
+forms based authentication (not integrated windows or basic auth). 
+Also, I am not authorizing based on username, and am not in an active
+directory domain, so I dont believe the comments concerned with the
+Name attribute apply here.  Is there something I am missing?

More information about the mono-bugs mailing list