Authentication and Authorizing Users

Short Notes:

Authentication is the process of identifying a user

Authorization is the process of verifying that user is allowed to access the requested resource.

 

Windows Identity: System.Security.Principal.WindowsIdentity

Represents a windows user account,

To create object call one of three methods

1.      GetAnonymous

2.      GetCurrent

3.      Impersonate

 

Store information about the user

1.      Authentication Type

2.      Is Anonymous

3.      Is Authenticated

4.      Is Guest

5.      Is System

6.      Name

7.      Token

 

Windows Principal: System.Security.Principal.WindowsPrincipal

Provides access to user’s group membership

Created by passing object of WindowsIdentity  or System.Threading.Thread.CurrentPrincipal

 

Method : IsInRole() take parameters :

1.      WindowsBuiltInRole

2.      DOMAIN \ Group Name

 

Principal Permission: System.Security.Permission.PrincipalPermission

Enables to check the active principal for both declarative and imperative security action

Properties:

1.      Authenticated

2.      Name

3.      Role

 

Declarative Role Based Security Demand

Declarative RBS demands instruct the runtime to perform an RBS check before running a method. Security is enforced by runtime before it executes your code.

Disadvantage:

1.      Restrict access to entire method

2.      Throw exception if called by Windows event

Code:

[ PrincipalPermission ( SecurityAction.Demand, Role=@”BUILTIN\Admin”)]

[ PrincipalPermission ( SecurityAction.Demand, Authenticated=True)]

Static void AdminFunc() {}

 

Imperative RBS Demands

Are declared within your code and can be used to restrict access to portion of code on a more granular basis.

Three Constructors:

PrincipalPermission(PermissionState)

PrincipalPermission(Name, Role)

PrincipalPermission(Name, Role, Authenticated)

 

Code:

PrincipalPermission p = new PrincipalPermission(null, @”BUILTIN\Admin”, true);

p.Demand();

 

Custom Users and Role:

For authenticating users against a custom database, you can use IIdentity and IPrincipal interfaces

IIdentity interface: System.Security.Principal.IIdentity

Following classes are inherited for this interface.

WindowsIdentity

FormsIdentity

PassportIdentity

GenericIdentity – Flexible implementation

 

Must properties:

AuthenticationType – Description of user authentication mechanism.

IsAuthenticated

Name – users name

 

IPrincipal Class: System.Security.Principal.IPrincipal

Represents security context of user, including the users identity, group or role.

Following classes are inherited for this interface.

WindowsPrincipal

GenericPrincipal

 

Must implement:

Constructor accepting IIdentity object

Property: IPrincipal.Identity

Method: IPrincipal.IsInRole

 

Can also override:

Property: Roles – return array of string

Method: IsInAllRoles, IsInAnyRole, IsHigherThanRole, IsLowerThanRole

How to use RBS Demands with Custom Identity and Principal?

 

1.      Create an IIdentity or GenericIdentity Object for current user

2.      Create an IPrincipal or GenericPrincipal object based on your IIdentity object.

3.      Set the Thread.CurrentPrincipal property to your IPrincipal object

4.      Add any declarative or imperative RBS Demands required.


Comments