Chapter 12-Lesson 1

• WindowsIdentity class in System.Security.Principal namespace represents a Windows User as an object. This class uses static methods (such as GetCurrent( ) ) to create objects.
• WindowsPrincipal class represent the User Group in which a given user exists. After finding the WindowsIdentity of a user, we may pass it to a new WindowsPrincipal object in constructor to determine its Roles/User Group.
• IsInRole( ) method of the WindowsPrincipal class can check for a user membership in either WindowsBuiltInRole enumerated values or a custom User Group defined as string.
• Incase of using a string to check if user is in that particular role, we may use System.Environment.MachineName or System.Environment.UserDomainName to form strings such as "TestPC\Administrator".
• PrincipalPermission class (and attributes) allow for imperative as well as declarative security requirements of a given user. Authenticated, Name and Role are three properties that exist for this attribute.
• We may use PrincipalPermission attribute over a method to declaratively apply Role Based Security (RBS) to it, i.e. restricting that only certain users or user groups may be able to call it.
• For that we first need to set the System.AppDomain.CurrentDomain.PrincipalPolicy, then decorate the method with the attribute using any of the options (name, role or authenticated)
• Also, we must make sure we call the method within a try block with a catch for SecurityException so that if an unauthorized user tries to call the method, an exception is thrown by runtime.
• We may also use imperative RBS with PrincipalPermission class within our method to restrict access on a more granular level.
• WindowsIdentity, FormsIdentity, PassportIdentity and GenericIdentity inherit from IIdentity interface.
• WindowsPrincipal and GenericPrincipal classes inherit from IPrincipal interface.
• To implement IIdentity, one must implement the following: AuthenticationType as string, IsAuthenticated as bool and Name as string.
• Similarly to implement IPrincipal, three things are required at minimum: A constructor (which takes IIdentity and an array of string for roles), Identity property as IIdentity and IsInRole method which takes a string for role and returns bool.