AOP with PostSharp: Listing 3.

A practical business scenario for advanced role-based security.

Public Class UserSecurity
  Public Shared Users As List(Of UserSecurityInfo)
  Public Shared Sub PopulateUserSecurity()
    Users = New List(Of UserSecurityInfo)
    Users.Add(New UserSecurityInfo With {.UserName = "Tom.Talker", _
      .BusinessUnit = "Sales"})
    Users.Add(New UserSecurityInfo With {.UserName = "Allan.Accountant", _ 
      .BusinessUnit = "Accounting"})
  End Sub
End Class

Public Class UserSecurityInfo
  Public Property UserName As String
  Public Property BusinessUnit As String
End Class

Public Class BusinessLayer
   <AOPSecurity.ValidateBusinessUnit() >
  Public Shared Sub CreateRequisiton(BusinessUnit As String)
    'This method executes only if the current user has the specified business unit
    Return
  End Sub
End Class

 <Serializable() >
Public Class AOPSecurity

   <Serializable() >
  Public Class ValidateBusinessUnitAttribute
    Inherits PostSharp.Aspects.OnMethodBoundaryAspect
    Public Overrides Sub OnEntry(args As PostSharp.Aspects.MethodExecutionArgs)
      'Get current running user
      If My.User.IsAuthenticated = False Then
        Throw New Security.SecurityException("Unauthenticated User")
      Else
        Dim UserName = My.User.CurrentPrincipal.Identity.Name
        Dim UserSecuritySettings = _
          UserSecurity.Users.FirstOrDefault(Function(x) x.UserName = UserName)
        If IsNothing(UserSecuritySettings) = False Then
          'Validate the user's business unit to the one passed in the method
          If args.Method.IsConstructor = False Then
            Dim thisMethod As System.Reflection.MethodInfo = CType(args.Method, _
              System.Reflection.MethodInfo)
            Dim BUparam = 
              thisMethod.GetParameters().First(Function(x) x.Name = "BusinessUnit")
            If IsNothing(BUparam) = False Then
              Dim BUparameter As String = args.Arguments.GetArgument(BUparam.Position)
              If BUparameter  < > UserSecuritySettings.BusinessUnit Then
                Dim ErrorMsg = 
                  "User: {0} is not authorized to requisition for business unit: {1}"
                Throw New Security.SecurityException( _
                  String.Format(ErrorMsg, UserName, BUparameter))
              End If
            End If
          End If
        Else
          Throw New Security.SecurityException( _
            String.Format("User {0} Not Found in Users Security Table", UserName))
        End If
      End If
    End Sub

    Public Overrides Sub RuntimeInitialize(method As System.Reflection.MethodBase)
      If IsNothing(UserSecurity.Users) Then
        UserSecurity.PopulateUserSecurity()
      End If
    End Sub
  End Class
End Class

About the Author

Joe Kunk is a Microsoft MVP in Visual Basic, three-time president of the Greater Lansing User Group for .NET, and developer for Dart Container Corporation of Mason, Michigan. He's been developing software for over 30 years and has worked in the education, government, financial and manufacturing industries. Kunk's co-authored the book "Professional DevExpress ASP.NET Controls" (Wrox Programmer to Programmer, 2009). He can be reached via email at joekunk@ajboggs.com.