This article illustrates how to use the WindowsIdentity and WindowsPrincipal classes to test for a user's inclusion in a specified security group and how to use the PrincipalPermission class to perform a security check against the active principal.
Determining Role
The .NET security classes enable you to determine both authentication information regarding a user and specific role information (see Figure 1).
Figure 1. User Information Regarding Authentication and Specific Roles
As Figure 1 shows, I am an Administrator on the HOMEOFFICE domain. I determined this programmatically via the WindowsIdentity and WindowsPrincipal classes by taking the following steps:
- Include the necessary namespace:
using namespace System::Security::Principal;
- Obtain the WindowsIdentity object associated with the current user:
WindowsIdentity* identity = WindowsIdentity::GetCurrent();
- Create a WindowsPrincipal object based on the WindowsIdentity object. The WindowsPrincipal object contains information regarding the current user's group membership(s):
WindowsPrincipal* principal = new WindowsPrincipal(identity);
- Call the WindowsPrincipal::IsInRole method, passing it either a string representing the role you are verifying or any of the members of the WindowsBuiltInRole enumeration type:
bool isAdmin = principal->IsInRole(WindowsBuiltInRole::Administrator);
Using the PrincipalPermissions Object
Another way to check for the inclusion of a user in a security group is by using the PrincipalPermission class, which allows you to perform a security check against the active principal:
- Include the necessary namespaces
using namespace System::Security::Permissions;
using namespace System::Threading;
- Call the current domain's SetPrincipal method, passing to it the desired principal policy. Calling this method dictates how principal and identity objects should be attached to a thread if the thread attempts to bind to a principal. In most cases, you'll pass the PrincipalPolicy::WindowsPrincipal enumeration member value so that operating system groups are mapped to security roles. Do this in situations where the code is making role-based security demands:
AppDomain* dom = AppDomain::CurrentDomain;
dom->SetPrincipalPolicy(PrincipalPolicy::WindowsPrincipal);
- Obtain the user's name via the current WindowsIdentity object:
WindowsIdentity* identity = WindowsIdentity::GetCurrent();
- Instantiate a PrincipalPermissions object. When constructing this type, you must pass both the name of the user (the reason for the previous step) and the security group name. (Note that you cannot pass a WindowsBuiltInRole enumeration value, such as WindowsBuiltInRole::Administrator, here.)
PrincipalPermission* permissions
= new PrincipalPermission(identity->Name, "Administrators");
- In a try block, call the PrincipalPermission::Demand method before attempting to call code that is specific to a given user group's permissions. If the user does not belong in the group specified in the constructor of the PrincipalPermission object, a Security::SecurityException will be thrown. Therefore, placing a call to the Demand method at the top of a try block that then continues to security-specific code enables you to gracefully handle scenarios in which the user doesn't have the necessary security privileges to run the intended code:
try
{
permissions->Demand();
}
catch(Security::SecurityException* ex)
{
}
About the Author
I am a Program Manager and Content Strategist for the Microsoft MSDN Online team managing the Windows Vista and Visual C++ developer centers.
Before being employed at Microsoft, I was awarded MVP status for the Visual C++ product. A 20+ year veteran of programming with various languages - C++, C, Assembler, RPG III/400, PL/I, etc. - I've also written many technical books (Inside C#, Extending MFC Applications with the .NET Framework, Visual C++.NET Bible, etc.) and 100+ online articles.
All
IE 7
Firefox 2.0
