Authentication
is
the process of identifying a user
Authorization
is
the process of verifying that user is allowed to access the requested resource.
Windows Identity:
System.Security.Principal.WindowsIdentity
Represents a windows user account,
To create object call one of three methods
1.
GetAnonymous
2.
GetCurrent
3.
Impersonate
Store information about the user
1.
Authentication Type
2.
Is Anonymous
3.
Is Authenticated
4.
Is Guest
5.
Is System
6.
Name
7.
Token
Windows Principal:
System.Security.Principal.WindowsPrincipal
Provides access to user’s group membership
Created by passing object of WindowsIdentity
or System.Threading.Thread.CurrentPrincipal
Method : IsInRole() take parameters :
1.
WindowsBuiltInRole
2.
DOMAIN \ Group Name
Principal Permission:
System.Security.Permission.PrincipalPermission
Enables to check the active principal for both declarative
and imperative security action
Properties:
1.
Authenticated
2.
Name
3.
Role
Declarative Role Based
Security Demand
Declarative RBS demands instruct the runtime to perform an
RBS check before running a method. Security is enforced by runtime before it
executes your code.
Disadvantage:
1.
Restrict access to entire method
2.
Throw exception if called by Windows event
Code:
[ PrincipalPermission ( SecurityAction.Demand,
Role=@”BUILTIN\Admin”)]
[ PrincipalPermission ( SecurityAction.Demand,
Authenticated=True)]
Static void AdminFunc() {}
Imperative RBS
Demands
Are declared within your code and can be used to restrict
access to portion of code on a more granular basis.
Three Constructors:
PrincipalPermission(PermissionState)
PrincipalPermission(Name, Role)
PrincipalPermission(Name, Role, Authenticated)
Code:
PrincipalPermission p = new PrincipalPermission(null, @”BUILTIN\Admin”,
true);
p.Demand();
Custom Users and
Role:
For authenticating users against a custom database, you can
use IIdentity and IPrincipal interfaces
IIdentity interface:
System.Security.Principal.IIdentity
Following classes are inherited for this interface.
WindowsIdentity
FormsIdentity
PassportIdentity
GenericIdentity – Flexible implementation
Must properties:
AuthenticationType – Description of user authentication
mechanism.
IsAuthenticated
Name – users name
IPrincipal Class:
System.Security.Principal.IPrincipal
Represents security context of user, including the users
identity, group or role.
Following classes are inherited for this interface.
WindowsPrincipal
GenericPrincipal
Must implement:
Constructor accepting IIdentity object
Property: IPrincipal.Identity
Method: IPrincipal.IsInRole
Can also override:
Property: Roles – return array of string
Method: IsInAllRoles, IsInAnyRole, IsHigherThanRole,
IsLowerThanRole
How to use RBS
Demands with Custom Identity and Principal?
1.
Create an IIdentity or GenericIdentity Object for
current user
2.
Create an IPrincipal or GenericPrincipal object based
on your IIdentity object.
3.
Set the Thread.CurrentPrincipal property to your
IPrincipal object
4.
Add any declarative or imperative RBS Demands required.