NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

Managing Principal and Identity Objects

Setting Identity/Role object Policy

Trusted code creating an AppDomain may set the AppDomain policy for controlling construction of default Principal and Identity objects. This is global to the AppDomain and will apply to all execution threads. An unmanaged, Trusted Host, inherently has the right to set this policy. Managed code creating an AppDomain must have the System.Security.Permissions.SecurityPermission(ControlPrincipal) permission to set this policy.

Setting the policy is done using a method on the AppDomain:

AppDomain.SetPrincipalPolicy(PrincipalPolicy policy)

Where, PrincipalPolicy is an enum with the following values:

Enum PrincipalPolicy {
   UnauthenticatedPrincipal;   // create Generic Identity and Principal objects representing the unauthenticated entity
   WindowsPrincipal;         // create WindowsIdentity and WindowsPrincipal objects representing the NT token for the execution thread

}

Additional policy values may be allowed in future releases.

Supplying Principal and Identity Objects to an AppDomain

Unmanaged, Trusted Hosts, creating an AppDomain may also supply a Principal object, and associated Identity object, to attach to the CallContext for a given thread. A Trusted Host can construct these objects using the NGWS runtime interoperability facilities.

We define a Method on the AppDomain for this purpose:

AppDomain.SetThreadPrincipal (IPrincipal principal)
 

Managed code creating a new in-proc AppDomain is not allowed to supply initial Principal and Identity objects. The rules of assigning an initial Principal object in this case are described in the section entitled Managing Identity and Role Information.

Constructing Default Principal and Identity Objects

Replacing a Principal Object

Once running inside an AppDomain, authorized managed code may replace the active Principal object for the current thread. To do this, the code:

Modifying Principal and Identity Objects

Principal and Identity objects in the NGWS runtime are not modifiable after construction. The identity, role, and other information they represent are bound into them at creation time and can not be changed by application code.

Principal and Identity Object Destruction

Principal and Identity objects can not be destroyed by application code. They are managed objects and will be automatically garbage collected by the NGWS runtime when no longer referenced.