Zulfiqar's weblog

Architecture, security & random .Net

Archive for March, 2008

ReceiveActivity authorization/security

Posted by zamd on March 25, 2008

ReceieveActivity shipped as part of .net Framework 3.5 enables you to receive data in your workflows by using web services. RecieveActivity also provides a way to enable Role based authorization so you can specify who can send data into your workflows.

By default, RBAC is done against windows principal and you can change this using the serviceAuthorizationBehavior

<serviceAuthorization principalPermissionMode=Custom“/>

There is a small bug in the current UI. If you enter the value in Role field to a “Windows Group” i.e Administrators and leave the Name field blank then everything works fine.

However if you enter a value in the name field say “zuahmed” and click Ok and now come back to this dialog and clear the Name field. Now if you run the application, you will always get an “Access Denied” exception.


So what’s happening in the background is:

When you clear the value in the Name field and hit Ok this will set the value of PrincipalPermissionName property to an empty string(“”) rather than a null (the default). Now if you only want to authorize access on group membership, an identity value of null must be used otherwise you will access denied. Currently there is no way to fix this using the UI. You have go into the designer generated code and reset the value of typedoperationinfo1.PrincipalPermissionName = null.

This is now a known issue and will be hopefully fixed in next SP.

Posted in WF | Leave a Comment »