主体和标识对象Principal and Identity Objects

备注

本文适用于 Windows。This article applies to Windows.

有关 ASP.NET Core 的信息,请参阅 ASP.NET Core 安全性For information about ASP.NET Core, see ASP.NET Core Security.

托管代码可以通过包含对对象的引用的对象发现标识或主体的角色 IPrincipal IIdentityManaged code can discover the identity or the role of a principal through a IPrincipal object, which contains a reference to an IIdentity object. 将标识对象和主体对象同用户帐户与组帐户这样常见的概念进行比较,可能会有所帮助。It might be helpful to compare identity and principal objects to familiar concepts like user and group accounts. 在大多数网络环境中,用户帐户表示人员或程序,而组帐户表示特定类别的用户及其拥有的权限。In most network environments, user accounts represent people or programs, while group accounts represent certain categories of users and the rights they possess. 同样,.NET identity 对象表示用户,而角色表示成员身份和安全上下文。Similarly, .NET identity objects represent users, while roles represent memberships and security contexts. 在 .NET 中,主体对象同时封装标识对象和角色。In .NET, the principal object encapsulates both an identity object and a role. .NET 应用程序基于其标识或更常见的角色成员身份向主体授予权限。.NET applications grant rights to the principal based on its identity or, more commonly, its role membership.

标识对象Identity Objects

标识对象封装有关正在验证的用户或实体的信息。The identity object encapsulates information about the user or entity being validated. 在最基本的级别上,标识对象包含名称和身份验证类型。At their most basic level, identity objects contain a name and an authentication type. 名称可以是用户名或 Windows 帐户名,而身份验证类型可以是所支持的登录协议(如 Kerberos V5)或自定义值。The name can either be a user's name or the name of a Windows account, while the authentication type can be either a supported logon protocol, such as Kerberos V5, or a custom value. .NET 定义一个 GenericIdentity 对象,该对象可用于大多数自定义登录方案和一个更专用的 WindowsIdentity 对象,当你希望你的应用程序依赖于 Windows 身份验证时,可以使用该对象。.NET defines a GenericIdentity object that can be used for most custom logon scenarios and a more specialized WindowsIdentity object that can be used when you want your application to rely on Windows authentication. 此外,还可以定义自己的标识类来封装自定义用户信息。Additionally, you can define your own identity class that encapsulates custom user information.

IIdentity接口定义用于访问名称和身份验证类型(如 Kerberos V5 或 NTLM)的属性。The IIdentity interface defines properties for accessing a name and an authentication type, such as Kerberos V5 or NTLM. 所有 Identity 类均实现 IIdentity 接口。All Identity classes implement the IIdentity interface. Identity 对象与当前执行线程所用的 Windows NT 进程标记之间不需要有什么关系。There is no required relationship between an Identity object and the Windows NT process token under which a thread is currently executing. 但是,如果 Identity 对象是 WindowsIdentity 对象,则假定标识表示 Windows NT 安全标记。However, if the Identity object is a WindowsIdentity object, the identity is assumed to represent a Windows NT security token.

主体对象Principal Objects

主体对象表示代码运行时所在的安全性上下文。The principal object represents the security context under which code is running. 实现基于角色的安全性的应用程序基于与主体对象关联的角色来授予权限。Applications that implement role-based security grant rights based on the role associated with a principal object. 与标识对象类似,.NET 提供了一个 GenericPrincipal 对象和一个 WindowsPrincipal 对象。Similar to identity objects, .NET provides a GenericPrincipal object and a WindowsPrincipal object. 你还可以定义自己的自定义主体类。You can also define your own custom principal classes.

IPrincipal接口定义用于访问关联的 标识 对象的属性,以及用于确定由 主体 对象标识的用户是否是给定角色的成员的方法。The IPrincipal interface defines a property for accessing an associated Identity object as well as a method for determining whether the user identified by the Principal object is a member of a given role. 所有 Principal 类都实现 IPrincipal 接口以及任何必需的附加属性和方法。All Principal classes implement the IPrincipal interface as well as any additional properties and methods that are necessary. 例如,公共语言运行时提供 WindowsPrincipal 类,该类实现将 Windows NT 或 Windows 2000 组成员资格映射到角色的附加功能。For example, the common language runtime provides the WindowsPrincipal class, which implements additional functionality for mapping Windows NT or Windows 2000 group membership to roles.

主体 对象被绑定到 CallContext 应用程序域 () 中 () 对象的调用上下文 AppDomainA Principal object is bound to a call context (CallContext) object within an application domain (AppDomain). 默认的调用上下文始终用每个新的 AppDomain 创建,因此始终存在可用于接受 Principal 对象的调用上下文。A default call context is always created with each new AppDomain, so there is always a call context available to accept the Principal object. 创建新线程的同时也为该线程创建 CallContext 对象。When a new thread is created, a CallContext object is also created for the thread. Principal 对象引用从正在创建的线程自动复制到新线程的 CallContext 中。The Principal object reference is automatically copied from the creating thread to the new thread's CallContext. 如果运行时无法确定哪个 Principal 对象属于线程的创建者,则会遵循 PrincipalIdentity 对象创建的默认策略。If the runtime cannot determine which Principal object belongs to the creator of the thread, it follows the default policy for Principal and Identity object creation.

可配置的应用程序域特定策略定义了一些规则,用以决定同新的应用程序域关联的 Principal 对象类型。A configurable application domain-specific policy defines the rules for deciding what type of Principal object to associate with a new application domain. 在安全策略的允许范围内,运行时可创建 PrincipalIdentity 对象来反射与当前执行线程关联的操作系统标记。Where security policy permits, the runtime can create Principal and Identity objects that reflect the operating system token associated with the current thread of execution. 默认情况下,运行时使用 PrincipalIdentity 对象表示未经身份验证的用户。By default, the runtime uses Principal and Identity objects that represent unauthenticated users. 运行时不创建这些默认的 PrincipalIdentity 对象,除非代码尝试访问它们。The runtime does not create these default Principal and Identity objects until the code attempts to access them.

创建应用程序域的受信任代码可设置应用程序域策略,以控制默认 PrincipalIdentity 对象的构造。Trusted code that creates an application domain can set the application domain policy that controls construction of the default Principal and Identity objects. 此应用程序域特定策略适用于该应用程序域中的所有执行线程。This application domain-specific policy applies to all execution threads in that application domain. 非托管的受信任主机本质上能够设置此策略,但设置此策略的托管代码必须具有 System.Security.Permissions.SecurityPermission 用于控制域策略的。An unmanaged, trusted host inherently has the ability to set this policy, but managed code that sets this policy must have the System.Security.Permissions.SecurityPermission for controlling domain policy.

在不同的应用程序域之间、但在同一进程内(因此在同一台计算机上)传输 Principal 对象时,远程处理基础结构将与调用方上下文相关联的、对 Principal 对象的引用复制到被调用方的上下文中。When transmitting a Principal object across application domains but within the same process (and therefore on the same computer), the remoting infrastructure copies a reference to the Principal object associated with the caller's context to the callee's context.

另请参阅See also