How can I find the role required when PrincipalPermissionAttribute demand fails?

Within a web site I'm using the PrincipalPermission attribute to restrict access to certain methods.

Here's a canoncial example:

class Program
{
    static void Main开发者_开发知识库(string[] args)
    {
        Foo();
    }

    [System.Security.Permissions.PrincipalPermission(System.Security.Permissions.SecurityAction.Demand, Role = "Winners")]
    static void Foo()
    { }
}

If the principal isn't in the role specified then the .net infrastructure throws a System.Security.SecurityException with the generic message "Request for principal permission failed".

If the permission check fails I'd like to log what role the PrincipalPermission required. This will be really useful for our support staff who can then either assign the role to the user and/or monitor the logs to see if anything suspicious is happening. Clearly for security purposes the end user will still see a generic unauthorised message. I've trawled through the SecurityException itself but it doesn't have the "Role" anywhere in it.

Is there anyway to get this information?

If your code is fully trusted, you can extract the required information by parsing the XML representation of the SecurityException's FirstPermissionThatFailed property. However, for your second purpose of detecting "suspicious" activity, it might be preferable to simply log the return value of the SecurityException's ToString() method. This will include both the details of the denied PrincipalPermission and the stack trace where the exception occurred. The context given by the stack trace is likely to be very useful, assuming that the support staff in question understand how to relate it to your application structure.