Role Based Authorization in .NET with PrincipalPermission and SecurityAction.Assert

I have a class attributed with

[PrincipalPermission(SecurityAction.Demand, Authenticated = true)]
 public class MyProtectedClass { }

This works as expected and callers are denied access when the current principal is not authenticated. In one specific scenario, I want this logic short-circuited...that is, the caller should not need to be authenticated. One way of accomplishing this would certianly开发者_运维知识库 be to reset the Thread's CurrentPrincipal with a new one whose Identity's IsAuthenticated property is true...

However, I think I should be able to accomplish this by having the caller Assert:

[PrincipalPermission(SecurityAction.Assert, Authenticated = true)]
 public class MyExemptedCallerClass { }

This does not produce the desired effect, however and the method in MyExemptedCallerClass still throws an exception trying to instantiate MyProtectedClass.

Any ideas? Is there another/better way to accomplish this?

Thanks.

Here are a couple of thoughts:

1. Place the PrincipalPermission attribute on the methods you wish to protect, not the class.
2. If a piece of code needs to be run by both authenticated and unauthenticated users, then perhaps it does not belong in MyProtectedClass. Perhaps it belongs in MyUnprotectedClass, which can only be instantiated in the one specific scenario you mentioned above. Authenticated clients could still reach the code in MyUnprotectedClass by calling facade methods on MyProtectedClass.