Role-based security is nothing new. All Windows NT, Windows 2000, and Windows XP machines have the concepts of users and groups. A user belongs to one or more groups, and each group defines the role that the user plays on the computer: administrator, user, power user , and so on.
These same concepts extend to the Windows domain system and the Microsoft Active Directory system. In both cases, users and groups are defined, with groups essentially defining the roles that each user plays within the network.
The .NET Framework itself supports the general concept of role-based security, and can interact with these existing technologies to provide the underlying implementation. The support for this concept comes from .NET principal and identity objects as explained in the following list:
-
An identity object defines the identity of the current user. It provides the user ID and the type of authentication that was used to identify the user.
-
A principal object defines the current user's identity, and the user's associated roles or groups. This means that the principal object contains an identity object, and a list of roles for the user.
There are three main categories of principal and identity objects:
-
WindowsPrincipal and WindowsIdentity
-
GenericPrincipal and GenericIdentity
-
Custom principal and identity
The WindowsPrincipal object contains a WindowsIdentity object, along with the list of Windows groups that the user belongs to. These objects correspond to the Windows account our application is running under. They're automatically populated by the .NET Framework on our behalf .
The GenericPrincipal object contains a GenericIdentity object. These objects are very basic implementations of the .NET security scheme, and they can be loaded with a user identity and a list of roles by our code. They're designed to make it easy to implement custom security. For instance, we may want to identify the user and roles based on some tables in a database, and these objects make that relatively easy to do.
We can also implement our own custom principal and identity objects. To create a principal object, we need to create a class that implements the System.Security.Principal.IPrincipal interface, which includes the Identity property to retrieve the user's identity, and an IsInRole() method that's used to determine whether the user is in a given role. To create an identity object, we need to create a class that implements the IIdentity interface, which includes methods to retrieve the user's ID and the authentication scheme used to authenticate the user.
In many cases, we can use GenericPrincipal and GenericIdentity to provide simple, custom security implementations. In other cases, we may need to create a custom implementation. As part of our framework, we'll choose the second option. Specifically, we'll be creating a BusinessIdentity class that inherits from our framework's ReadOnlyBase class. By doing this, we'll be able to authenticate the user and retrieve his list of roles by using our DataPortal mechanism.
