Home   |   QuickStart Welcome   |   ASP.NET   |   Web Services   |   How Do I...?   
  |   I want my samples in...      

How Do I...? Common Tasks QuickStart Tutorial

How Do I...Check the Windows Identity in a client application?

User identity is a common means of controlling access to a business application or limiting the options available within that application. The .NET Framework classes under the namespace System.Security.Principal are provided to assist in making such role-based security determinations.

These classes and the mechanisms they expose are highly extensible. They allow host code to provide its own user identity and role information, or allow it to expose the user account and group information provided by Windows. For more complete details regarding how to extend the role-based security system, consult the .NET Framework SDK Developer's Guide.

For those who simply need to check the user's Windows user name and group memberships from a client application, this topic will show you how.

The Framework provides a WindowsIdentity class that represents an authenticated Windows user and a WindowsPrincipal class that encapsulates the WindowsIdentity and information about the user's role memberships. These objects representing the current user are accessible in one of two ways: using a static property on the Thread object or a static method on the WindowsIdentity object. Examples of both are given in the following section.

Accessing the current principal from the Thread is the standard approach, and it works for all types of principal objects. But, because this method returns an IPrincipal, it must be cast as a WindowsPrincipal before it can be used as one. Notice that before accessing the current principal, a call to SetPrincipalPolicy is made. This is noteworthy because without it the principal returned would be a GenericPrincipal containing no user information. As the call to SetPrincipalPolicy requires the ControlPrincipal SecurityPermission (one not normally given out to less than fully trusted code) this prevents semi-trusted code (such as that running off the Internet) from gaining access to a user's account name.


WindowsPrincipal user = (WindowsPrincipal)System.Threading.Thread.CurrentPrincipal;
WindowsIdentity ident = user.Identity;

Since checking for a Windows identity is expected to be a very common case, a shortcut is provided using a static method on the WindowsIdentity object as shown in the example below. Please note, however, that this method requires the same level of permission as the one above.

WindowsIdentity ident = WindowsIdentity.GetCurrent();
WindowsPrincipal user = new WindowsPrincipal(ident);

Once a WindowsPrincipal is retrieved, group membership can be checked using the method IsInRole. If the goal of checking role group membership is to deny access to an application (vs. customizing the user experience), an even simpler approach is to use the PrincipalPermission to demand the required role.

The following example verifies that a user is in a given NT group using both WindowsPrincipal and PrincipalPermission.

VB WindowsIdentityCheck
View Source
[This sample can be found at C:\DevFusion.Data\legacy\quickstart.developerfusion.co.uk\QuickStart\howto\samples\Security\WindowsIdentityCheck\]

Microsoft .NET Framework SDK QuickStart Tutorials Version 2.0
Copyright � 2004 Microsoft Corporation. All rights reserved.