| Role-based authorization within the .NET Framework involves two interfaces: IIdentity and IPrincipal . Applications that use Windows accounts use these interfaces through the WindowsIdentity and WindowsPrincipal objects, although it is possible to create your own custom authorization scheme using the IIdentity and IPrincipal classes directly. The WindowsIdentity object represents the current user running the code and includes information such as the user 's name and his authentication method. The WindowsPrincipal object adds functionality to the WindowsIdentity object, representing the entire security context of the user running the code, including the roles to which the user belongs. You can obtain the WindowsIdentity object of the current user through the static GetCurrent method of that class, as shown in the following example: -
Open an instance of Visual Studio .NET and create a new .NET project, including a form. -
Place a ListBox control (lblProperties) and a Button control (btnGetProperties) on the form. -
Add the following to the form's code module: Imports System.Security.Principal Private Sub btnGetProperties_Click(ByVal sender As System.Object, _ ByVal e As System.EventArgs) Handles btnGetProperties.Click AppDomain.CurrentDomain.SetPrincipalPolicy( _ PrincipalPolicy.WindowsPrincipal) lbProperties.Items.Clear() Dim wi As WindowsIdentity = WindowsIdentity.GetCurrent() With lbProperties.Items .Add("WindowsIdentity:") .Add(" Authentication type: " & wi.AuthenticationType) .Add(" Is Anonymous: " & wi.IsAnonymous) .Add(" Is Authenticated: " & wi.IsAuthenticated) .Add(" Is Guest: " & wi.IsGuest) .Add(" Is System: " & wi.IsSystem) .Add(" Name: " & wi.Name) .Add(" Token: " & wi.Token.ToString) End With Dim prin As WindowsPrincipal = New WindowsPrincipal(wi) With lbProperties.Items .Add(" Authentication Type: " & _ prin.Identity.AuthenticationType) .Add(" Is Authenticated: " & _ prin.Identity.IsAuthenticated) .Add(" Name: " & prin.Identity.Name) .Add(" Member of Domain Users: " & _ prin.IsInRole("MYDOMAIN\Domain Users")) End With End Sub -
When you run the project, the code will return the current values of the WindowsIdentity and WindowsPrincipal classes. Note that your domain will be different from the one used here (MYDOMAIN). The IsInRole method allows you to test the role membership of the current user against the specified DOMAIN \ Group name. This method accepts three forms of test: -
IsInRole(WindowsBuiltInRole) Uses one of the WindowsBuiltInRole constants to check group membership -
IsInRole(String) Checks for membership in the specified group -
IsInRole(Integer) Checks for membership in a group with the specified role identifier (RID) The PrincipalPermission Class Another way to identify group membership involves the use of the PrincipalPermission class or the PrincipalPermissionAttribute attribute, as demonstrated in the following example: -
Open an instance of Visual Studio .NET and create a new .NET Windows Application project, including a form. -
Add this code to the form's code module: Imports System Imports System.Security.Permissions Imports System.Security.Principal Private Sub Form1_Load(ByVal sender As System.Object, _ ByVal e As System.EventArgs) Handles MyBase.Load ' Tell the CLR to use Windows security AppDomain.CurrentDomain.SetPrincipalPolicy( _ PrincipalPolicy.WindowsPrincipal) ' Create a new PrincipalPermission object ' This object matches any user in a group ' named Administrators Dim pp As PrincipalPermission = New PrincipalPermission( _ Nothing, "BUILTIN\Administrators") ' See if the user is in the group Try pp.Demand() MessageBox.Show("You are in the Administrators group") Catch ex As Exception MessageBox.Show("Exception: " & ex.Message) End Try End Sub -
When you run the project, the code will either notify you that you are a member of the Administrators group or display the exception message. |
