Your UserIdentity hierarchy seems to be confusing security rights with identity
- which is where the lines are blurring for you between authentication and
authorization. I think a more appropriate example would be something like:
class DatabaseIdentity : UserIdentity // retrieved from app specific custom DB
class FlickrIdentity: UserIdentity // uses Flickr.com login info
class LdapIdentity : UserIdentity // from enterprise LDAP store
Each *Identity class has it's own logic for Authenticating a user and
retrieving/persisting user details. See the FormsIdentity and PassportIdentity
for a concrete example.
Now, when your app wants to determine if the user is allowed to run the Admin
functions, you'd perhaps use your own IPrincipal implementation that takes in a
UserIdentity and loads the appropriate roles from your custom DB store, and
then call Principal.IsInRole("Admin")
class DatabasePrincipal : IPrincipal { DatabasePrincipal(UserIdentity identity)
}
The WindowsIdentity/Principal combo isn't the best example of this, since the
store is ultimately the same (Active Directory) for both authentication and
group (role) info. But, you could use a WindowsIdentity with the above
DatabasePrincipal or GenericPrincipal and load role info from somewhere else.
Using WindowsPrincipal without a WindowsIdentity is a bit more problematic (and
wouldn't make much sense, knowing that AD stores group info based on User SIDs
- which your Identity classes wouldn't have).
--MB
> -----Original Message-----
> From: Discussion of advanced .NET topics. [mailto:ADVANCED-
> [EMAIL PROTECTED] On Behalf Of Miika Mäkinen
> Sent: Thursday, December 13, 2007 12:15 AM
> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM
> Subject: Re: [ADVANCED-DOTNET] IPrincipal and IIdentity
>
> Hi all,
>
> After looking through the code for two pairs implementing these
> interfaces
> in mscorlib using Reflector I think I start to understand... To me it
> still
> looks that this separation is a little bit artificial though. Like said
> there are two pairs: GenericPrincipal + GenericIdentity and
> WindowsPrincipal
> + WindowsIdentity. E.g. very tightly coupled classes... in fact I can't
> see
> any other reason why these are separated but to have less code per
> class.
> Another thing that doesn't make it any easier to understand is
> IPrincipal
> interface being as it is... one method IsInRole(string)! This is hardly
> ideal way for many applications to authorize a user! And in fact can
> see
> that WindowsPrincipal uses a lot of other ways...
>
> Or maybe my confusion just comes from the fact that I haven't needed
> multiple different IIdentity classes... There I could see reason to use
> this:
>
> abstract UserIdentity : IIdentity
>
> class AdminIdentity : UserIdentity
>
> class AnonymousIdentity : UserIdentity
>
> class SalesPersonIdentity : UserIdentity
>
> class UserPrincipal : IPrincipal
> + ctor(UserIdentity identity)
>
> Maybe somebody's doing like above? Or do you have better examples where
> it's
> clear why these are separated?
>
> Ah, I just hate to see so central concepts that I don't clearly
> understand
> :) Sorry about being difficult...
>
> Cheers,
> Miika
>
> ps. Looking at
> http://blogs.msdn.com/ploeh/archive/2007/08/20/UserContext.aspx says
> "Should
> I create both a UserPrincipal and a UserIdentity class? In some cases,
> it
> makes sense, while in others, it doesn't"... At least this article
> confirms
> that it's ok to implement in same class if you don't see reason not
> to...
>
>
> On Dec 12, 2007 11:54 PM, Mark Brackett <[EMAIL PROTECTED]> wrote:
>
> > Authentication (IIdentity) vs. Authorization (IPrincipal).
> >
> > --MB
> >
> > > -----Original Message-----
> > > From: Discussion of advanced .NET topics. [mailto:ADVANCED-
> > > [EMAIL PROTECTED] On Behalf Of Miika Mäkinen
> > > Sent: Tuesday, December 11, 2007 10:30 PM
> > > To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM
> > > Subject: Re: [ADVANCED-DOTNET] IPrincipal and IIdentity
> > >
> > > Thanks Brandon... This text in MSDN is the reason why I was
> asking...
> > > to me
> > > very cryptic explanations!
> > >
> > > On Dec 11, 2007 10:34 PM, Brandon Willoughby
> <[EMAIL PROTECTED]>
> > > wrote:
> > >
> > > > Taken from the MSDN:
> > > >
> > > > IIdentity:
> > > >
> > > > An identity object represents the user on whose behalf the code
> is
> > > > running.
> > > >
> > > > IPrinciple:
> > > >
> > > > A principal object represents the security context of the user on
> > > whose
> > > > behalf the code is running, including that user's identity
> > > (IIdentity)
> > > > and any roles to which they belong.
> > > >
> > > >
> > > > http://msdn2.microsoft.com/en-
> > >
> us/library/system.security.principal.iidentity(VS.80).aspx<http://msdn2
> > > .microsoft.com/en-
> > > us/library/system.security.principal.iidentity%28VS.80%29.aspx>
> > > >
> > > > http://msdn2.microsoft.com/en-
> > > us/library/system.security.principal.iprincipal.aspx
> > > >
> > > > Brandon W
> > > >
> > > > Miika Mäkinen wrote:
> > > > > Hi all,
> > > > > I'm having hard time understanding what is the purpose of
> > > IPrincipal and
> > > > > IIdentity. Why are these 2 separate interfaces? To me it just
> > > > complicates
> > > > > matters... Does anybody know of a good article explaining...
> > > > >
> > > > >
> > > > > Cheers,
> > > > > Miika
> > > > >
> > > > > ===================================
> > > > > This list is hosted by DevelopMentor(R) http://www.develop.com
> > > > >
> > > > > View archives and manage your subscription(s) at
> > > > http://discuss.develop.com
> > > >
> > > > ===================================
> > > > This list is hosted by DevelopMentor(R) http://www.develop.com
> > > >
> > > > View archives and manage your subscription(s) at
> > > > http://discuss.develop.com
> > > >
> > >
> > > ===================================
> > > This list is hosted by DevelopMentor(R) http://www.develop.com
> > >
> > > View archives and manage your subscription(s) at
> > > http://discuss.develop.com
> >
> > ===================================
> > This list is hosted by DevelopMentor(R) http://www.develop.com
> >
> > View archives and manage your subscription(s) at
> > http://discuss.develop.com
> >
>
> ===================================
> This list is hosted by DevelopMentor® http://www.develop.com
>
> View archives and manage your subscription(s) at
> http://discuss.develop.com
===================================
This list is hosted by DevelopMentor® http://www.develop.com
View archives and manage your subscription(s) at http://discuss.develop.com
