Get the name of the currently logged in user
See if they belong to a specific security group
You can get the user name of the currently logged in user and check their
membership in a Windows Security Group using the IsInRole
method exposed by the System.Threading namespace.
According to MSDN, "VB.NET's managed code can discover the identity or the role
of a principal through a Principal Object which
contains a reference to an Identity Object".
What's this mean? Think of Identity and Principal objects in terms
of User and Group accounts. User accounts represent people and
Group accounts represent categories of users and the rights they possess. In
the .NET Framework Identity objects represent individuals such as users, roles
represent security group memberships and rights and Principals represent the
combination of an Identity and its roles (Ex. Administrator, Power User, Backup
Operator, etc.).
In the .NET Framework, the Principal object encapsulates both an Identity object
and a role and represents the security context under which code is running. So
to check a user's membership in a security group we need to use the Principal
object.
Wait, there's more. From the operating system's perspective each process and all
its threads have an associated security token that uniquely specifies the
identity, group membership, and privileges of the thread. From the .NET
Framework point of view, each thread has a Principal associated with it that
determines the identity of the thread and the roles it supports. However, the
.NET Runtime may associate a Principal to a thread that differs from the
security token used by the operating system.
To check for security group membership you must set the Principal
Policy to use the WindowsPrincipal corresponding
to the current security token (e.g. current user). Principal policy is set on a
per AppDomain basis.
This leads to the following code:
Imports System.Security
Imports System.Threading
'
' Create an Identity object. Get the current domain\user.
' Parse out the domain name.
'
Dim aID As Principal.WindowsIdentity
Dim aName As String = aID.GetCurrent.Name
Dim aDomain As String = aName.Substring(0, aName.IndexOf("\") + 1)
'
' Associate the WindowsPrincipal object with your app's thread.
' aDomain & "GROUP_NAME" is of the form <domain name>\<your group name>.
'
AppDomain.CurrentDomain.SetPrincipalPolicy( _
Principal.PrincipalPolicy.WindowsPrincipal)
If Not Thread.CurrentPrincipal.IsInRole(aDomain & "GROUP_NAME") Then
MsgBox("Authorization Failure.", MsgBoxStyle.Critical, "Error")
Application.Exit()
End If
If you want to check membership in one of the standard, built in groups, you can
use the IsInRole method that takes an enumerated value:
Imports System
Imports System.Security
Imports System.Threading
AppDomain.CurrentDomain.SetPrincipalPolicy( _
Principal.PrincipalPolicy.WindowsPrincipal)
Dim WP AS WindowsPrincipal
WP = Thread.CurrentPrincipal
Debug.WriteLine(WP.IsInRole(WindowsBuiltInRole.Administrator))
It's critical to place the current principal into the WP variable first. This
insures the .NET compiler uses the correct overload signature for the IsInRole
method.
The book "Visual Basic .NET Code Security Handbook" contains an excellent
description of .NET security.
As an aside, in an ASP.NET application the application does not run under the
user's Id. Instead it runs under the ASP Id, typically ASPNET.
To get the Id, use this:
strID = Environment.UserName
|