Enterprise Services Security


Serviced components benefit from a set of authentication and authorization services that are included in the Enterprise Services (COM+) infrastructure. Authentication is provided over the RPC channel between client and server, so clients will automatically present to the server with their Windows identity. Authorization is provided by Enterprise Services roles, which are identical to COM+ roles. An Enterprise Services role can contain Windows users and Windows groups. You can limit access to applications, components, interfaces, and methods within a serviced component to members of specific roles.

In general, you can manage security for serviced components through a combination of attributes within your .NET project, and the Component Services tool, as shown in Step By Step 11.10.


11.10 Implementing Security for a Serviced Component

  1. Launch Visual Studio .NET and create a new blank solution.

  2. Add a new Visual Basic class library project to the solution. Name the new project InventoryService.

  3. Right-click the Class1.vb file and rename it Inventory.vb.

  4. Right-click the References folder and select Add Reference. Select the System.EnterpriseServices reference from the .NET tab of the Add Reference dialog box and click OK.

  5. Add code to create the Inventory class as a serviced component:

     Imports System.EnterpriseServices Public Interface ISell     Sub Sell(ByVal Amount As Integer) End Interface <ComponentAccessControl(), _ SecureMethod(), _  SecurityRole("InventoryUsers")> _  Public Class Inventory     Inherits ServicedComponent     Implements ISell     <AutoComplete(), _      SecurityRole("InventoryUsers")> _     Public Sub Sell(ByVal Amount As Integer) _      Implements ISell.Sell         ' Work of the component would go here     End Sub End Class 
  6. Open a Visual Studio .NET command prompt. Navigate to the directory containing the InventoryService project and create a key file by entering this command:

     sn k InventoryService.snk 
  7. Open the AssemblyInfo.vb file. Add a line of code at the top of the file:

     Imports System.EnterpriseServices 
  8. Add attributes at the end of the AssemblyInfo.vb file, replacing the default AssemblyVersion attribute:

     <Assembly: AssemblyVersion("")> <Assembly: ApplicationName("InventoryComponent")> <Assembly: AssemblyKeyFile(_  "..\..\InventoryService.snk")> <Assembly: ApplicationAccessControl(_  AccessChecksLevel:= _  AccessChecksLevelOption.ApplicationComponent)> <Assembly: SecurityRole("InventoryUsers")> 
  9. Build the project to create InventoryService.dll.

  10. Switch to the Visual Studio .NET command prompt and navigate to the project's bin directory. Enter this command to register the assembly with COM+:

     regsvcs InventoryService.dll 
  11. Add a new Visual Basic .NET Windows application project to the solution. Name the new project InventoryClient . Set the new project as the startup project for the solution.

  12. Right-click the References folder and select Add Reference. Select the Projects tab and create a reference to the InventoryService project.

  13. Place a Label control, a TextBox control named txtAmount , and a Button control named btnSell on the default form in the project.

  14. Double-click the button to switch to the form's module. Add a statement at the top of the module:

     Imports InventoryService 
  15. Add code to handle the button's Click event:

     Private Sub btnSell_Click(_  ByVal sender As System.Object, _  ByVal e As System.EventArgs) _  Handles btnSell.Click     Try         Dim inv As Inventory = New Inventory()         inv.Sell(txtAmount.Text)         MessageBox.Show("Sale succeeded")     Catch ex As Exception         MessageBox.Show(ex.Message, _          "Exception occurred")     End Try End Sub 
  16. Run the solution, enter a number in the text box, and click the button. You'll receive an exception message as shown in Figure 11.10 because you're not a member of the InventoryUsers COM+ role. Close the form.

    Figure 11.10. Enterprise service not available to the current user .

  17. Select Start, Programs, Administrative Tools, Component Services to launch the Component Services Tool.

  18. In the Component Services tool, expand the tree to locate the Users node for the InventoryUsers role, as shown in Figure 11.11. You can get there by drilling down through Component Services, COM+ Applications, InventoryComponent, Roles, InventoryUsers, Users. Right-click the node and select New, User. In the Select Users or Groups dialog box, locate your own user account, click Add, and then OK.

    Figure 11.11. Configuring roles for a serviced component.

  19. Run the solution again, enter a number in the text box, and click the button again. This time, the call will succeed because your account is a member of the proper COM+ role.

This Step by Step shows the essential attributes that you can use to configure security for a serviced component:

  • The ApplicationAccessControl attribute at the assembly level enables access checking at the process and component level.

  • The SecurityRole attribute at the assembly level specifies the COM+ roles that will be able to use any of the classes from the assembly.

  • The ComponentAccessControl attribute at the class level enables component-level access checking.

  • The SecurityRole attribute at the class level specifies the COM+ roles that will be allowed to create instances of the class.

  • The SecureMethod attribute at the class level allows you to use the Component Services tool to configure roles for the class.

  • The SecurityRole attribute at the method level specifies the COM+ roles that will be allowed to invoke the method.


  • The most important security decision you must make with a Windows service is which security account should be used to run the service. You can choose between the LocalSystem account or a user account on Windows 2000. On Windows XP, the LocalService and NetworkService accounts provide additional flexibility.

  • Because Web services are hosted by ASP.NET, they have the entire spectrum of IIS authentication, authorization, and security features available to them.

  • You can use IIS to control access to a Web service, and then use declarative or imperative security to control the access of the Web service to resources.

  • WS-Security is a new specification for a set of SOAP headers to handle authentication, encryption, and signing directly in SOAP messages.

  • Remoting servers that require secure hosting are best run in the ASP.NET process. Remoting servers that require additional speed but less security can be run in a Windows service host instead.

  • You can configure security for serviced components by applying attributes within the code for the components and then specifying COM+ roles with the Component Services tool.


MCAD. MCSD Training Guide (Exam 70-310. Developing XML Web Services and Server Components with Visual Basic. NET and the. NET Framework)
MCAD/MCSD Training Guide (70-310): Developing XML Web Services and Server Components with Visual Basic(R) .NET and the .NET Framework
ISBN: 0789728206
EAN: 2147483647
Year: 2002
Pages: 166

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net