.NET provides layered security through authentication, authorization, confidentiality, and integrity. Beyond these, the framework offers powerful features—type safety, Code Access Security (CAS), impersonation, and security APIs (Membership, Roles, Profiles)—to help you build robust, secure applications. This page explains these mechanisms and shows how to implement them effectively.
Type-safe code only accesses memory it is authorized to use and only the public members of objects—preventing accidental or malicious corruption. The CLR enforces type safety at execution time and verifies MSIL (via peverify.exe) during JIT compilation; verified code is called verifiably type-safe.
Not all languages are type-safe (for example, C/C++), which can lead to memory vulnerabilities. In C#, the compiler catches unsafe assignments early:
// Type safety example
double var1 = 12.50;
int var2 = 5;
// This causes a compilation error - can't implicitly convert double to int
// var2 = var1; // Error: Cannot implicitly convert type 'double' to 'int'
// Correct approach with explicit casting
var2 = (int)var1; // Now var2 = 12A more complete example illustrates member accessibility and conversions:
public class TypeSafetyExample
{
private string privateData = "Secret";
public string publicData = "Public Info";
public void SafeMethod()
{
// Type-safe operations
int number = 42;
string text = number.ToString(); // Safe conversion
// This won't compile - type safety prevents it
// string wrong = number; // Error!
}
}
// From outside the class
TypeSafetyExample obj = new TypeSafetyExample();
Console.WriteLine(obj.publicData); // OK
// Console.WriteLine(obj.privateData); // Error! Can't access private memberCAS restricts what code can do based on evidence such as origin or zone. Untrusted code can be prevented from performing privileged actions. You can express CAS rules declaratively (attributes) or imperatively (runtime permission objects).
Apply attributes at class, member, or assembly scope using SecurityAction values:
using System.Security.Permissions;
[FileIOPermission(SecurityAction.Deny, Read = @"C:\App1\TestFolder")]
public class TestDeclarativeSecurity
{
public TestDeclarativeSecurity()
{
// Constructor protected by declarative security
}
public void TestMethod1()
{
// This method can't read from C:\App1\TestFolder
}
public void TestMethod2()
{
// This method also can't read from C:\App1\TestFolder
}
}Assembly-level requests:
[assembly: FileIOPermission(SecurityAction.RequestMinimum, Read = @"C:\App1\AllowedFolder")]
[assembly: FileIOPermission(SecurityAction.Deny, Read = @"C:\App1\RestrictedFolder")]Network restriction example:
[WebPermission(SecurityAction.Deny, ConnectPattern = @"http://restricted-site\.com/.*")]
public class SecureNetworkClass
{
public void FetchData()
{
// This method cannot connect to restricted-site.com
}
}Imperative security uses permission objects in code for on-demand checks around sensitive operations:
using System.Security;
using System.Security.Permissions;
public class TestImperativeSecurity
{
public void TestMethod1()
{
FileIOPermission permission = new FileIOPermission(
FileIOPermissionAccess.Read,
@"C:\App1\TestFolder");
try
{
permission.Demand();
// Code that requires file access
string content = System.IO.File.ReadAllText(@"C:\App1\TestFolder\data.txt");
}
catch (SecurityException ex)
{
Console.WriteLine($"Security exception: {ex.Message}");
}
}
public void TestMethod2()
{
// This method is not protected by imperative security
}
}using System.Net;
using System.Security;
using System.Security.Permissions;
public void AccessWebResource(string url)
{
WebPermission permission = new WebPermission(
NetworkAccess.Connect,
url);
try
{
permission.Demand();
using (WebClient client = new WebClient())
{
string data = client.DownloadString(url);
}
}
catch (SecurityException ex)
{
Console.WriteLine($"Access denied: {ex.Message}");
}
}Impersonation runs your code as another Windows user—useful for leveraging Windows permissions, enforcing least privilege, or separating app-level permissions. Always revert to the original context.
<system.web>
<identity impersonate="true" />
</system.web><system.web>
<identity impersonate="true" userName="DOMAIN\Username" password="password" />
</system.web>using System;
using System.IO;
using System.Security.Principal;
public class ImpersonationExample
{
public void ExecuteAsUser(string username, string domain, string password)
{
WindowsImpersonationContext impersonationContext = null;
try
{
// NOTE: Creating a token requires secure credential handling; simplified here.
WindowsIdentity identity = new WindowsIdentity($"{domain}\\{username}");
impersonationContext = identity.Impersonate();
string path = @"C:\SecureFolder\data.txt";
if (File.Exists(path))
{
string content = File.ReadAllText(path);
Console.WriteLine("File accessed successfully");
}
}
catch (UnauthorizedAccessException ex)
{
Console.WriteLine($"Access denied: {ex.Message}");
}
finally
{
impersonationContext?.Undo();
}
}
}
IIdentity represents who the user is (name, authentication type, authenticated status) and IPrincipal adds roles for authorization checks. In ASP.NET, access them via HttpContext.Current.User.
// Check if user belongs to a specific role
if (System.Web.HttpContext.Current.User.IsInRole("Administrators"))
{
Console.WriteLine("User is an administrator");
}
// Check whether user is authenticated
if (System.Web.HttpContext.Current.User.Identity.IsAuthenticated)
{
Console.WriteLine("User is authenticated");
}
else
{
System.Web.HttpContext.Current.Response.Redirect("Login.aspx");
}
// Get the name of the logged-in user
string username = System.Web.HttpContext.Current.User.Identity.Name;
Console.WriteLine($"Current user: {username}");using System.Security.Principal;
using System.Web;
public class SecurityContextExample
{
public void CheckUserAccess()
{
IPrincipal user = HttpContext.Current.User;
if (user.Identity.IsAuthenticated)
{
System.Console.WriteLine($"Welcome, {user.Identity.Name}!");
System.Console.WriteLine($"Authentication Type: {user.Identity.AuthenticationType}");
if (user.IsInRole("Administrators")) ShowAdminPanel();
else if (user.IsInRole("Users")) ShowUserPanel();
else ShowGuestPanel();
}
else
{
HttpContext.Current.Response.Redirect("Login.aspx");
}
}
private void ShowAdminPanel() { System.Console.WriteLine("Displaying admin panel"); }
private void ShowUserPanel() { System.Console.WriteLine("Displaying user panel"); }
private void ShowGuestPanel() { System.Console.WriteLine("Displaying guest panel"); }
}
Implement IPrincipal for advanced role models or external identity providers.
using System;
using System.Security.Principal;
using System.Threading;
public class CustomPrincipal : IPrincipal
{
private IIdentity identity;
private string[] roles;
public CustomPrincipal(IIdentity identity, string[] roles)
{
this.identity = identity;
this.roles = roles;
}
public IIdentity Identity => identity;
public bool IsInRole(string role)
{
return Array.IndexOf(roles, role) != -1;
}
}
// Usage
IIdentity identity = new GenericIdentity("john.doe");
string[] roles = new[] { "Users", "Managers" };
CustomPrincipal principal = new CustomPrincipal(identity, roles);
Thread.CurrentPrincipal = principal;using System.Web.Security;
// Create a new user
MembershipUser newUser = Membership.CreateUser(
"username",
"password123",
"user@example.com");
// Validate credentials
if (Membership.ValidateUser("username", "password123"))
{
FormsAuthentication.SetAuthCookie("username", false);
}
// Password recovery
MembershipUser user = Membership.GetUser("username");
string newPassword = user.ResetPassword();using System.Web.Security;
// Create a role
if (!Roles.RoleExists("Managers"))
{
Roles.CreateRole("Managers");
}
// Add user to role
Roles.AddUserToRole("username", "Managers");
// Check if user is in role
if (Roles.IsUserInRole("username", "Managers"))
{
// Grant manager access
}
// Get all roles for a user
string[] userRoles = Roles.GetRolesForUser("username");<system.web>
<profile>
<properties>
<add name="FirstName" type="string" />
<add name="LastName" type="string" />
<add name="Theme" type="string" defaultValue="Blue" />
</properties>
</profile>
</system.web>// Use profile in code (classic ASP.NET Profile Provider)
Profile.FirstName = "John";
Profile.LastName = "Doe";
Profile.Theme = "Dark";
// Retrieve profile
string theme = Profile.Theme;
System.Console.WriteLine($"User's theme: {theme}");.NET provides many ways to ensure security in your applications. By combining type safety, CAS (declarative and imperative), impersonation, and the built-in security APIs, you can build robust solutions that protect both code and data. Choose broad, attribute-based rules where possible, and use targeted, runtime checks for sensitive operations that vary by context.
Declarative security uses attributes applied at class, assembly, or member level for consistent enforcement; imperative security creates permission objects at runtime for fine-grained, conditional checks. Use declarative for broad, maintainable policies and imperative for localized or dynamic scenarios.
Impersonation executes code with another Windows identity, letting you rely on OS-level permissions. Common uses include accessing network shares, enforcing least privilege for file operations, and segregating app permissions. Always revert the context and avoid storing credentials in plain text.
Identity captures who the user is (name, authentication type, authenticated flag). Principal wraps Identity with roles for authorization checks via IsInRole. In ASP.NET, use HttpContext.Current.User to gate access and features.