Why does PrincipalPermission(Attribute) not respect authentication type?

Question

IIdentity interface exposes AuthenticationType property which i would like to take into account because things are bit different if a user logs on with x509 or basic username/password auth, you know:

[PrincipalPermission(SecurityAction.Demand, Role = "BigBoss", AuthenticationType="basic")]
protected static void DoSomething() {}

But i can't. Moreover, both PrincipalPermission and PrincipalPermissionAttribute are sealed (thanks guys) so i cannot add the functionality I need. Is this for some special reason or just a design flaw? Any ideas how to workaround?

Answer 1

Despite both being related to security, authentication and authorization are actually separate concerns, and coupling authorization directly to the authentication mechanism is generally not a particularly good idea.

If you feel that you have compelling reasons to add such a coupling, then you have a couple of approaches available:

1. Add a role to your principal to reflect the authentication mechanism, then demand both the focal role and the authentication mechanism pseudo-role when the latter matters.
2. While PrincipalPermission and PrincipalPermissionAttribute are sealed, there's nothing stopping you from creating analogous types that do what you want.

For #2, you could get away with creating a custom attribute that creates a custom permission that wraps PrincipalPermission instead of re-creating all its logic from scratch.