[Mono-list] Authorization in .NET Remoting channel

Angel "Java" Lopez webmaster at ajlopez.com
Mon Jun 23 09:02:41 EDT 2008


Hi people!

I don't know if it's supported under Mono, but you can read about SSPI over
Remoting Channels:

http://community.bartdesmet.net/blogs/bart/archive/2006/08/26/4277.aspx
The trick is simple but a bit underdocumented. First of all, since .NET 2.0
the TcpChannel (as well as the HttpChannel) supports SSPI as mentioned on
MSDN. Furthermore there is a new RegisterChannel overload on the
ChannelServices class that takes a boolean second parameter called
"ensureSecurity". By turning this on (on both client and server) SSPI seems
to work fine across the wire. Notice the one-parameter RegisterChannel
method is marked as deprecated as of .NET 2.0. The documentation is rather
simplistic:

If the ensureSecurity parameter is set to true, the remoting system
determines whether the channel implements ISecurableChannel, and if so,
enables encryption and digital signatures. An exception is thrown if the
channel does not implement ISecurableChannel. 

But as you can see, setting the flag does the trick.

More info at:
http://msdn.microsoft.com/en-us/library/4b3scst2.aspx

Angel "Java" Lopez
http://www.ajlopez.com/

-----Original Message-----
From: mono-list-bounces at lists.ximian.com
[mailto:mono-list-bounces at lists.ximian.com] On Behalf Of Robert Jordan
Sent: Monday, June 23, 2008 9:34 AM
To: Mono-list at lists.ximian.com
Subject: Re: [Mono-list] Authorization in .NET Remoting channel

paszczi wrote:
> Hi,
> 
> I'm struggling to find a way of implementing authorization in .NET
> remoting. The issue is that I've developed custom sink and I'm able
> to pass some credentials which then can be authenticated by server.
> But what I want to do is to check whether remote user who has called
> shared object's method can in fact invoke it (using my custom
> security framework). I've tried to pass custom principal/identity to
> Thread.CrrentPrincipal - but somehow this is always empty
> GenericIdentity (I've tried this on windows and I've only managed to
> pass WindowsIdentity instead of empty one :(). Any suggestions - the
> basic issue is how to get those credentials from sink to the remoted
> object :)
> 

You can inject the client identity in the current call context:

client:

// this is you sink's process message:
ProcessMessage(IMessage msg, ....)
{
	MethodCall mc = msg as MethodCall;
	if (mc != null) {
		mc.LogicalCallContext.SetData ("UserName",
WindowsIdentity.GetCurrent 
().Name);
	}

}

server:

class SomeRemoteClass : MarshalByRefObject
{
	public void Method ()
	{
			Console.WriteLine (CallContext.GetData("UserName"));
	}
}


There might be another ways to do this, though. I'm just writing this
down from weak memory ;-)

Robert

_______________________________________________
Mono-list maillist  -  Mono-list at lists.ximian.com
http://lists.ximian.com/mailman/listinfo/mono-list



More information about the Mono-list mailing list