NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

Role-based Security Checks

Managed code can use security checks to determine whether a particular Principal object is a member of a known role, has a known identity, or represents a known identity acting in a role. To cause the security check to occur, a security demand for an appropriately constructed PrincipalPermission object must be made, either declaratively or imperatively. During the security check, the runtime examines the principal to see if its identity and role match those represented by the PrincipalPermission that is being demanded. If the PrincipalPermission has not been granted, a SecurityException is thrown. (Only the permissions of the principal are examined, not the permissions of all callers in the call stack as is the case with code access permission security checks.)

For an imperative demand, the code creates a PrincipalPermission object that represents the desired identity and/or role and then calls the Demand method of the PrincipalPermission object to determine whether the current Principal object represents the specified identity and/or role.

For example, the following code demands that the principal have the identity "fred" and be a member of the "Teller" role:

String id = “fred”;
String role = “Teller”;
PrincipalPermission principalPerm = new PrincipalPermission(id, role);
principalPerm.Demand();

When the security check is being performed, both the specified identity and role must match for the check to succeed. However, when you create the PrincipalPermission object, you can pass a NULL identity string to indicate that the identity of the principal can be anything. Similarly, passing a NULL role string indicates that the principal can be a member of any role (or no roles at all).

You might use declarative demands instead of imperative demands if the compiler you are using provides a tool that makes applying declarative demands simpler than imperative ones. Declarative demands for PrincipalPermission work the same way that declarative demands for code access permissions work: demands can be placed at the class level as well as on individual methods, properties, or events. If a declarative demand is placed at both the class and member level, the declarative demand on the member overrides (or replaces) the demand at the class level.