Using SharePoint 2007 for Security programming

You may already know the basics of secure programming with Windows® and ASP.net security, but how much do you know about the increased security security for Windows Sharepoint®services 3.0 (WSS)? In this month's Office space column, I will focus on some of the new security terminology and concepts introduced by WSS, and show you a new world that uses the WSS object model for secure programming.

It is recommended that you download the sample project that came with this column and follow the code provided in the other parts of this column. The project is configured to run a batch file after the build process completes, which compiles all the project components into a WSS solution package and installs the package in the local WSS server farm. After you have established the project and installed the solution, you can browse any site collection and enable the feature named "Security Demo" for the site collection. You can then navigate to the custom application page through the Site Actions menu, which demonstrates the WSS security programming technique with some code.

External security principals and SPUser objects

Most security models are based on security principals. Each security principal represents a user or a group. The user owns the account and authenticates through these accounts. Once the authentication is complete, each user will get an identity. When a user authenticates using a Windows account, you can use the Microsoft®.net Framework security class in the System.Security namespace to retrieve the identity, which refers back to a specific Windows account and allows you to view the user's Login Name:

WindowsIdentity identity = WindowsIdentity.GetCurrent ();
String windowslogin = identity. Name;

With WindowsIdentity, you can dynamically create a WindowsPrincipal that allows you to test whether the current user belongs to an Active Directory® group or a local Windows group, as follows:

WindowsIdentity identity = WindowsIdentity.GetCurrent

();
WindowsPrincipal principal = new WindowsPrincipal (identity);
if ( 

principal. IsInRole (@ "Litwareinc\allfte")) {
Perform operation allowed for 

fulltime employees
}

asp.net supports both Windows authentication and Forms Based authentication (FBA). The User object in ASP.net is freed from dependency on the Windows account by modeling based on the IPrincipal interface rather than the WindowsPrincipal class. asp.net the runtime dynamically creates different types of IPrincipal objects based on whether the current user is using a Windows account or using the FBA account for authentication:

IPrincipal AspUser = 

HttpContext.Current.User;
string aspusername = AspUser.Identity.Name;