Application Security, Part 10

The .NET Framework Class Library provides authorization facilities in its System.Security.Principal namespace. It defines an interface, IPrincipal, that incorporates a method, IsInRole, that one can use for manual authorization checks. For example, one can construct a GenericPrincipal class that implements the IPrincipal interface for the current user, passing in an array of strings identifying the user’s roles. Then, within a method, one can call the IsInRole method of the GenericPrincipal class specifying a role for which a user must be authorized in order for certain code to execute, and decide whether to proceed based on whether the specified role is among the array of strings that were passed to the GenericPrincipal constructor. Furthermore, if one was to assign the GenericPrincipal object to the CurrentPrincipal property of the Thread, then one can also add attributes to methods declaring the names of the roles for which the user must be authorized in order for the method to be executed, and the authorization checks will occur automatically.

 

However, the facilities of the .NET Framework Class Library do not include a user interface to administer the roles to which users belong. The Windows 2003 Authorization Manager provides a user interface for that purpose and the data retrieved from Authorization Manager can be used in the construction of IPrincipal objects.

 

[This posting is provided "AS IS" with no warranties, and confers no rights.]