Fog Creek Software
Discussion Board

.NET Question

I have a web application that needs to call a .NET enterprise service component running in COM+. I only want this web application to be able to call this component, so of course I've turned on component checks and added a role that only contains the ASPNET account.

The problem is that this still allows other web applications on the same box to access this component, so hypothetically if there was no change control another developer could update their app to access this component.

Any ideas on methods of restricting the single web application to having rights to the COM+ component (including imperative - I am open to doing checks in the methods in the component to validate the caller, but am unsure what checks to do).

Any ideas are greatly appreciated.

Friendly neighbourhood monkey
Wednesday, July 7, 2004

Assuming you're using IIS6, you could create a separate appdomain and have the worker process run as another account.

If you're using IIS5, I'm not sure what your options are...

Wednesday, July 7, 2004

I'm pretty sure impersonation would work in IIS 5 (and 6, but probably easier to just run the worker service under a separate account, as mentioned above).  Of course, if your COM+ component lives on another box, then you'll need to impersonate an account w/ domain credentials, and enable delegation in addition to impersonation.

Wednesday, July 7, 2004

One low-key way of handling this is pass a parameter with some sort of key to the component's constructor or Init method.  Thow an exception for anybody that passes the incorrect key.

Wednesday, July 7, 2004

*  Recent Topics

*  Fog Creek Home