How Do I...Check the Windows Identity in a client application?
User identity is a common means of controlling access to a business application
or limiting the options available within that application. The .NET Framework
classes under the namespace System.Security.Principal are
provided to assist in making such role-based security determinations.
These classes and the mechanisms they expose are highly extensible. They allow host
code to provide its own user identity and role information, or allow it to expose the
user account and group information provided by Windows. For more complete details
regarding how to extend the role-based security system, consult the .NET Framework
SDK Developer's Guide.
For those who simply need to check the user's Windows user name and group
memberships from a client application, this topic will show you how.
The Framework provides a WindowsIdentity class that represents an
authenticated Windows user and a WindowsPrincipal class that
encapsulates the WindowsIdentity and information about the user's
role memberships. These objects representing the current user are accessible in one
of two ways: using a static property on the Thread object or a static
method on the WindowsIdentity object. Examples of both are given
in the following section.
Accessing the current principal from the Thread is the standard
approach, and it works for all types of principal objects. But, because this method
returns an IPrincipal, it must be cast as a WindowsPrincipal
before it can be used as one. Notice that before accessing the current principal,
a call to SetPrincipalPolicy is made. This is noteworthy
because without it the principal returned would be a GenericPrincipal
containing no user information. As the call to SetPrincipalPolicy
requires the ControlPrincipal SecurityPermission (one not
normally given out to less than fully trusted code) this prevents semi-trusted code
(such as that running off the Internet) from gaining access to a user's account name.
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
WindowsPrincipal user = (WindowsPrincipal)System.Threading.Thread.CurrentPrincipal;
WindowsIdentity ident = user.Identity;
C#
Since checking for a Windows identity is expected to be a very common case, a
shortcut is provided using a static method on the WindowsIdentity object
as shown in the example below. Please note, however, that this method requires the
same level of permission as the one above.
WindowsIdentity ident = WindowsIdentity.GetCurrent();
WindowsPrincipal user = new WindowsPrincipal(ident);
C#
Once a WindowsPrincipal is retrieved, group membership can be checked using
the method IsInRole. If the goal of checking role group membership is to
deny access to an application (vs. customizing the user experience), an even simpler approach
is to use the PrincipalPermission to demand the required role.
The following example verifies that a user is in a given NT group using both
WindowsPrincipal and PrincipalPermission.
VB WindowsIdentityCheck
Microsoft .NET Framework SDK QuickStart Tutorials Version 2.0
Copyright � 2004 Microsoft Corporation. All rights reserved.
|