WCF: Custom RoleProvider with PrincipalPermissions: Doesn't appear to get hit / how to debug it?

Question

I have a custom role provider that inherits off RoleProvider. In the web app this works fine with no problems.

However I am also using it in the WCF service and am having great problems stepping into it. to the extent that I suspect it isn't being hit at all. If I turn on any principal permissions at all I get access denied and the stack trace is totally unhelpful. even the WCF traces arnt really helpful in ascertaining what has happened.

I know that the TennisRoleProvider works off its default constructor and have verified its methods via test. It seems to be an integration issue.

So snippets ...

EDIT: I have since moved the role provider into the service assembly as read something about needing to involve GAK and keys (needs to run in full trust). I went down that path but things still didnt work so decided to simply move stuff into the service project to simplify. Still no joy.

<roleManager defaultProvider="TennisRoleProvider"
             enabled="true"
             >
  <providers>
    <clear/>
    <add name="TennisRoleProvider"
         type="Tennis.Security.TennisRoleProvider, Tennis.Security" />
  </providers>
</roleManager>

   <bindings>
     <wsHttpBinding>
        <binding name="wsHttpUserName">
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="UserName"/>
            <transport clientCredentialType="None"/>
          </security>
        </binding>
     </wsHttpBinding>
   <bindings/>


    <behavior name="RoleBehavior">
       <serviceCredentials>
         <serviceCertificate findValue="john-pc"
                      storeLocation="LocalMachine"
                      storeName="My"
                      x509FindType="FindBySubjectName"/>
       <userNameAuthentication userNamePasswordValidationMode="Custom" 
customUserNamePasswordValidatorType="Tennis.Components.TennisUserValidator, Tennis.Components"/>
      </serviceCredentials>

      <serviceAuthorization principalPermissionMode="UseAspNetRoles" 
                            roleProviderName="TennisRoleProvider">
      </serviceAuthorization>

      <serviceMetadata httpsGetEnabled="true"/>
      <serviceDebug includeExceptionDetailInFaults="true"/>
      <errorHandler />
    </behavior>

   <services>
      <service name="Tennis.Service.Services"
               behaviorConfiguration="RoleBehavior">
          <endpoint address="Family"
                 binding="wsHttpBinding"
                 bindingConfiguration="wsHttpUserName"
                 contract="Tennis.Service.Contracts.IFamilyAdmin"
                  />
      </service>
    </services>

Then on the service method i have the following (Roles.Family admin is a string)

[PrincipalPermission(SecurityAction.Demand, Name = Roles.FamilyAdmin)]
public VoidResult<SuccessEnum> UpdateFamily(Family family)
{

}

so there are 2 questions ... 1) what have I done wrong? 2) How can I get into WCF to figure out exactly what is going wrong?

Cheers

The stack trace for the error in the logs is as follows Note the permission in there is a different to the one I used above (Namley 'authorised' instead of 'FamilyAdmin'. However In the real thing those values match and the user has the correct permissions.

<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
<System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
<EventID>131076</EventID>
<Type>3</Type>
<SubType Name="Warning">0</SubType>
<Level>4</Level>
<TimeCreated SystemTime="2012-06-29T12:45:30.2469191Z" />
<Source Name="System.ServiceModel" />
<Correlation ActivityID="{6e59b4f4-d59b-42eb-ad8e-4d5853f72900}" />
<Execution ProcessName="w3wp" ProcessID="9388" ThreadID="18" />
<Channel />
<Computer>JOHNN-PC</Computer>
</System>
<ApplicationData>
<TraceData>
<DataItem>
<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning">
<TraceIdentifier>http://msdn.microsoft.com/en-GB/library/System.ServiceModel.Diagnostics.TraceHandledException.aspx</TraceIdentifier>
<Description>Handling an exception.</Description>
<AppDomain>/LM/W3SVC/2/ROOT/Tennis-1-129854474506679191</AppDomain>
<Exception>
<ExceptionType>System.Security.SecurityException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Request for principal permission failed.</Message>
<StackTrace>
at System.Security.Permissions.PrincipalPermission.ThrowSecurityException()
at System.Security.Permissions.PrincipalPermission.Demand()
at System.Security.PermissionSet.DemandNonCAS()
at Nomical.Tennis.Service.Services.GetBookingsForUser(DateTime start, DateTime end) in c:\tfs\Tennis\TennisSolution\TennisCourts\Services.svc.cs:line 388
at SyncInvokeGetBookingsForUser(Object , Object[] , Object[] )
at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp; outputs)
</StackTrace>
<ExceptionString>System.Security.SecurityException: Request for principal permission failed.
   at System.Security.Permissions.PrincipalPermission.ThrowSecurityException()
   at System.Security.Permissions.PrincipalPermission.Demand()
   at System.Security.PermissionSet.DemandNonCAS()
   at Tennis.Service.Services.GetBookingsForUser(DateTime start, DateTime end) in c:\tfs\Tennis\TennisSolution\TennisCourts\Services.svc.cs:line 388
   at SyncInvokeGetBookingsForUser(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp; outputs)
The action that failed was:
Demand
The type of the first permission that failed was:
System.Security.Permissions.PrincipalPermission
The first permission that failed was:
&lt;IPermission class="System.Security.Permissions.PrincipalPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"&gt;
&lt;Identity Authenticated="true"
ID="Authorised"/&gt;
&lt;/IPermission&gt;

The demand was for:
&lt;IPermission class="System.Security.Permissions.PrincipalPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"&gt;
&lt;Identity Authenticated="true"
ID="Authorised"/&gt;
&lt;/IPermission&gt;

The assembly or AppDomain that failed was:
mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionString>
</Exception>
</TraceRecord>
</DataItem>
</TraceData>
</ApplicationData>
</E2ETraceEvent>

EDIT: Based on the answer below I added a few lines of code into the constructor - which whilst they don't achieve anything encouraged me to interrogate the thread static class.

EDIT: given a question about logs updated log to show that it is indeed from the log - or I am confused ;)

The TennisRoleProvider is referenced by it in its non public members - moreover when I overrode Name to make it return something I would recognise this was returned by it.

Answer 1

The problem was that I am using security across assemblies / app domains.

I need to make everything trusted and signed for it to work.

Answer 2

Put a break point in one of your role provider. If you WCF service is self hosted, start the host or if you have it under IIS just access its *svc file. From visual studio go to Debug, the click on Attach to Process and select your working process from the list w3wp.exe (if you are not able to see it select both check boxes "Show processes from all users" and "Show processes in all sessions". Now you can attach to your WCF service execution process. Last thing to do, from your client just call one of the test methods of your service and see if your break point gets a hit.

If that doesn't work, then just enable tracing at your service level and check the trace log files for any suspicious information.