ASP.NET AJAX Roles and Security

Michael Schwarz on Monday, July 30, 2007

David Barkol [1] writes on his blog about ASP.NET AJAX Role Application Service with Visual Studio 2008 (Orcas). [2] Well, it is a new service that is working similar to the profile [3] and authentication [4] service. As it is very easy to call it from the client-side JavaScript code you should be a little bit more careful using these new methods.

When you read David's post you will find a very simple example (and exactly there you can already see what I mean with careful:

function pageLoad() {loadRoles();
}

function loadRoles() { Sys.Services.RoleService.load(onLoadRolesCompleted, <br> onLoadRolesFailed, <span class="kwrd">null</span>); }

function onLoadRolesCompleted(result, userContext, methodName) { <span class="kwrd">if</span> (Sys.Services.RoleService.isUserInRole(<span class="str">"Administrator"</span>)) { $get(<span class="str">"adminView"</span>).style.display = <span class="str">"block"</span>; } }

function onLoadRolesFailed(error, userContext, methodName) { alert(error.get_message()); }</pre>

In the asyncronous callback method onLoadRolesCompleted you see the if statement isUserInRole("Administrator"). If it is true the next line will simple display the HtmlElement with the ID adminView in the Web browsers window which is by default hidden. So, instead of running this method you could run following command at your own to enable the adminView display:

<pre class="csharpcode">document.getElementById(<span class="str">"adminView"</span>).style.display = <span class="str">"block"</span>;</pre>

This is not yet a security problem, but if you call there another AJAX request which will do any administrative tasks it could be a problem.

You have to test ALWAYS on the server-side code if the user has the needed user rights to execute your code. You can do that at your own or use the PrincipalPermissionAttribute [5] where you can specify roles that are allowed to execute the whole AJAX method. I recommend using the attribute because there is no code from the method executed until the user is in the correct role.

One year ago I already wrote a simple demonstration how to use the PrincipalPermissionAttribute inside Ajax.NET Professional AjaxMethods [6].