. NET Framework role-based security (2)

Source: Internet
Author: User
Tags bool file system thread thread class domain visual studio
. NET Framework | safety | security principal objects

The principal object is an instance of the class that implements the IPrincipal interface, which represents the user and includes the user's identity information. The System.Security.Principal namespace includes several types of principal classes that encapsulate the security context in which program code runs. We'll see a sample code that checks the user name and role to determine whether the user can perform certain actions based on user identity and role eligibility.

is associated with a principal object for each thread. This principal object includes the Identity object that represents the user who is running the current thread. We can use the static property CurrentPrincipal of the thread class to get this Principal object.

Now let's look at the IPrincipal interface, which has only one identity public property and IsInRole public method:

1, the identity property points to a IIdentity object associated with the principal object.

2. The IsInRole method requires a string parameter that is the name of a role and returns a Boolean value indicating whether the principal object belongs to the specified role.

Due to the actual development needs, we are more exposed to the WindowsPrincipal class, the following will be discussed in detail WindowsPrincipal class, relatively, GenericPrincipal class will be abbreviated.

GenericPrincipal class

The GenericPrincipal class is used to represent a user who passes custom validation, and is typically used with the GenericIdentity class. Here's a simple program that shows how these two classes work:


Create a GenericIdentity Object
IIdentity mygenericidentity = new GenericIdentity (strUserName, "Myauthenticationtype");

Create a GenericPrincipal object
string[] roles = null;
GenericPrincipal Mygenericprincipal = new GenericPrincipal (mygenericidentity, roles);

Attaches the created GenericPrincipal object to the current thread
Thread.CurrentPrincipal = Mygenericprincipal;

Note In the above example, we can replace the Myauthenticationtype authentication type with well-known Kerberos authentication or NTLM authentication.

The following is the process of validation:


Gets the principal object for the current thread
IPrincipal principal = Thread.CurrentPrincipal;

if (!principal. Identity.Name.Equals ("Trusteduser"))
{
throw New SecurityException (
strUserName + "not permitted to proceed.\n");
}
Console.WriteLine (
strUserName + "is permitted to proceed.\n");

WindowsPrincipal class

The WindowsPrincipal class, as we have encountered most often in the development of the class that implements the IPrincipal interface, is quite simple:
Public WindowsPrincipal (WindowsIdentity ntidentity);

The following code shows how to create a WindowsPrincipal object:


WindowsIdentity WI = WindowsIdentity.GetCurrent ();
WindowsPrincipal WP = new WindowsPrincipal (WI);

The WindowsPrincipal class needs to be aware of the following three overloaded IsInRole methods:


Public virtual bool IsInRole (int);

The 1th overloaded function accepts an integer parameter that represents the RID (RID that is the subordinate voucher (domain-relative subauthority) ID associated with the domain) for the user group. The RID value is defined in the header file Winnt.h of the Platform SDK, and Winnt.h includes some common users and groups, such as Domain_user_rid_admin, Domain_user_rid_guest, Domain_group_ Rid_admins, Domain_group_rid_users and domain_group_rid_guests, etc., can be \microsoft Visual Studio. net\vc7\platformsdk\ Include folder to locate the file.


Public virtual bool IsInRole (string);

The 2nd overloaded function takes a string parameter that represents a user group name, such as Mycomputer\developer (Machinename\groupname) representing the Developer user group on the computer named MyComputer. But for the system built-in user groups can not be said, such as Administrators, can not be expressed as mycomputer\administrators, but should be like BUILTIN\Administrators, but this always feel a bit redundant, Not natural enough. So we can use the following overloaded function.
Public virtual bool IsInRole (WindowsBuiltInRole);

The 3rd overloaded function accepts a WindowsBuiltInRole enumeration type parameter, and the following is the value defined in the WindowsBuiltInRole enumeration:

1. accountoperator-Manage user accounts on the computer or domain.

2, administrator-can access any computer or domain

3. backupoperator-can perform backup and restore operations on the file system.

4, guest-and user similar, but there are more restrictions.

5, poweruser-and the administrator status similar, but there are some restrictions.

6, printoperator-to perform the printing operation.

7, replicator-in the domain to perform file replication.

8, systemoperator-Management computer.

9, user-users can not perform harm to the system or affect the entire system operation.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.