Thursday, February 10, 2011

Identity and Principal

What's Identity and Principal in .NET terms? What is the significance of something like




AppDomain.CurrentDomain.SetPrinicpalPolicy(PrincipalPolicy.WindowsPrincipal)



I've just started to investigate this while Identity & Principal thing & found the following link to be quite useful:
http://www.codeguru.com/Csharp/.NET/net_security/authentication/article.php/c7415/

Quite a few things from the post below are taken from Klaus' link above, so thanks to Klaus for an excellent article.

Just a few things about what I've learnt from that article:

  1. Identity is who you are. It's used in authentication
  2. Principal = Identity + groups of which you are a member of. Used for authorization.
The IPrincipal has a property that exposes the IIdentity interface as well as the method IsInRole(). This makes it clear that the Principal object can be used to get the identity of the user running the app, as well as the roles that he/she is in.

Now coming to the significance of the line above: Thread.CurrentPrinicpal gives you access to the current principal assigned to the executing thread. By default, this will be an unauthenticated principal. The framework provides two different types of principals, a Windows principal (WindowsPrincipal) and a generic principal (GenericPrincipal).

By calling SetPrincipalPolicy on the current AppDomain, you tell the framework which principal needs to be attached to this thread. You need to set this before you access the principal the first time.

Calling Thread.CurrentPrincipal returns the principal bound to the executing thread. The first time, this tells the framework to go off and query for the Windows user information, create a Windows identity, and then a Windows principal, and bind it to this thread. From the Windows principal, you then can access the Windows identity.

Another way to do this is as follows:

WindowsIdentity Identity = WindowsIdentity.GetCurrent();


WindowsIdentity.GetCurrent() goes off and queries the Windows user information and creates a Windows identity object representing that user. With that, you can create a new Windows principal passing along the Windows identity. The disadvantage of that approach is that each time it goes off and queries for the Windows user information and creates a new principal and identity object. The first approach reuses the same Windows principal and identity each time.

Now the best thing about the Identity & Principal objects, is that it allows you to use the same methods to for different types of identity & principals. For e.g. if you have authentication against a database, then you can use custom identity & principal objects & extend the concept from WindowsPrincipal to your own custom prinicpal. You can create your own Principal & Identity objects & then assign that principal to the current thread:

public class SecurityPrincipal : IPrincipal ...

//assign this principal to the current thread
Thread.CurrentPrincipal = TheSecurityPrincipal;

See Klaus' article for an excellent coverage of how to extend the .NET Identity & Principal concepts to custom principals.

No comments:

Post a Comment