1. Home
  2. Programming
  3. .NET Programming security

Chapter 29. The System.Security.Principal Namespace

The .NET runtime provides a simple role-based security mechanism that enables code to make security decisions based on the user that is running the code, and the roles to which the user belongs. .NET's role-based security model is independent of any underlying authentication and authorization mechanism, and relies on two key abstractions that represent the user and their roles: identities and principals. An identity represents an authenticated user, and the principal is a container that holds both the identity and the set of roles to which the identity belongs. Principals are assigned to threads and provide the information necessary for the runtime to authorize and control the actions of the current user.

The System.Security.Principal namespace contains the interfaces that define the functionality of identities and principals, and includes two concrete role-based security implementations. The first implementation consists of the classes named with the prefix "Generic." The generic role-based security implementation is simple and requires direct manipulation to configure identities and principals, but can be used in conjunction with any user authentication and authorization mechanism. The second implementation consists of the classes named with the prefix "Windows." The Windows role-based security implementation integrates with the Windows user accounts mechanism and allows code to base security decisions on Windows user accounts, and the user groups to which they belong.

Role-based security is enforced using security demands similar to those used to enforce code-access security. The System.Security.Permissions.PrincipalPermission class provides support for imperative role-based security demands, and the System.Security.Permissions.PrincipalPermissionAttribute class provides support for declarative demands. When code invokes a role-based security demand, the runtime evaluates the principal of the current thread to ensure that it has the demanded identity and roles. If not, the demand raises a System.Security.SecurityException. Role-based security demands do not cause stack walks.

Figure 29-1 shows the types in this namespace.

Figure 29-1. The System.Security.Principal namespace
figs/pdns_2901.gif


    		Part I: Fundamentals
    		Part II: .NET Security
    		Part III: .NET Cryptography
    		Part IV: .NET Application Frameworks
    		Part V: API Quick Reference
    		Chapter 21. How to Use This Quick Reference
    		Chapter 22. Converting from C# to VB Syntax
    		Chapter 23. The System.Security Namespace
    		Chapter 24. The System.Security.Cryptography Namespace
    		Chapter 25. The System.Security.Cryptography.X509Certificates Namespace
    		Chapter 26. The System.Security.Cryptography.Xml Namespace
    		Chapter 27. The System.Security.Permissions Namespace
    		Chapter 28. The System.Security.Policy Namespace
    		Chapter 29. The System.Security.Principal Namespace
    		GenericIdentity
    		GenericPrincipal
    		IIdentity
    		IPrincipal
    		PrincipalPolicy
    		WindowsAccountType
    		WindowsBuiltInRole
    		WindowsIdentity
    		WindowsImpersonationContext
    		WindowsPrincipal