Authentication and Authorizing Users

Short Notes:

Authentication is the process of identifying a user

Authorization is the process of verifying that user is allowed to access the requested resource.


Windows Identity: System.Security.Principal.WindowsIdentity

Represents a windows user account,

To create object call one of three methods

1.      GetAnonymous

2.      GetCurrent

3.      Impersonate


Store information about the user

1.      Authentication Type

2.      Is Anonymous

3.      Is Authenticated

4.      Is Guest

5.      Is System

6.      Name

7.      Token


Windows Principal: System.Security.Principal.WindowsPrincipal

Provides access to user’s group membership

Created by passing object of WindowsIdentity  or System.Threading.Thread.CurrentPrincipal


Method : IsInRole() take parameters :

1.      WindowsBuiltInRole

2.      DOMAIN \ Group Name


Principal Permission: System.Security.Permission.PrincipalPermission

Enables to check the active principal for both declarative and imperative security action


1.      Authenticated

2.      Name

3.      Role


Declarative Role Based Security Demand

Declarative RBS demands instruct the runtime to perform an RBS check before running a method. Security is enforced by runtime before it executes your code.


1.      Restrict access to entire method

2.      Throw exception if called by Windows event


[ PrincipalPermission ( SecurityAction.Demand, Role=@”BUILTIN\Admin”)]

[ PrincipalPermission ( SecurityAction.Demand, Authenticated=True)]

Static void AdminFunc() {}


Imperative RBS Demands

Are declared within your code and can be used to restrict access to portion of code on a more granular basis.

Three Constructors:


PrincipalPermission(Name, Role)

PrincipalPermission(Name, Role, Authenticated)



PrincipalPermission p = new PrincipalPermission(null, @”BUILTIN\Admin”, true);



Custom Users and Role:

For authenticating users against a custom database, you can use IIdentity and IPrincipal interfaces

IIdentity interface: System.Security.Principal.IIdentity

Following classes are inherited for this interface.




GenericIdentity – Flexible implementation


Must properties:

AuthenticationType – Description of user authentication mechanism.


Name – users name


IPrincipal Class: System.Security.Principal.IPrincipal

Represents security context of user, including the users identity, group or role.

Following classes are inherited for this interface.




Must implement:

Constructor accepting IIdentity object

Property: IPrincipal.Identity

Method: IPrincipal.IsInRole


Can also override:

Property: Roles – return array of string

Method: IsInAllRoles, IsInAnyRole, IsHigherThanRole, IsLowerThanRole

How to use RBS Demands with Custom Identity and Principal?


1.      Create an IIdentity or GenericIdentity Object for current user

2.      Create an IPrincipal or GenericPrincipal object based on your IIdentity object.

3.      Set the Thread.CurrentPrincipal property to your IPrincipal object

4.      Add any declarative or imperative RBS Demands required.