控制方法只有相应权限才可执行

有时我们需要在调用一个方法前加判断，比如当前用户是否有权限来调用此方法。

常规做法在NET中是自己做一个Attribute来完成，不过在4.5中有System.Security.Permissions.PrincipalPermissionAttribute可以协助我们，用的是System.Security.Claims.Claim及System.Security.Claims.ClaimTypes。

using System;
using System.Collections.Generic;
using System.Security.Claims;
using System.Security.Permissions;
using System.Threading;

namespace ApiSecurityTest
{
    class Program
    {
        static void Main(string[] args)
        {
            var claims = new List<Claim>()
            {
                new Claim(ClaimTypes.Name, "badri"),
                new Claim(ClaimTypes.Email, "badri@nowhere.com"),
                new Claim(ClaimTypes.Role, "StoreMandager"),
                new Claim(ClaimTypes.Role, "BackOfficeClerk")
            };

            var id = new ClaimsIdentity(claims, "Dummy"); // Non-empty string is needed as authentication type
            var principal = new ClaimsPrincipal(new[] { id });
            Thread.CurrentPrincipal = principal;

            MakeDiscount();

            Console.WriteLine();
            Console.ReadLine();
        }

        [PrincipalPermission(SecurityAction.Demand, Role = "StoreManager")] // Declarative
        private static void MakeDiscount()
        {
            try
            {
                Console.WriteLine(Thread.CurrentPrincipal.IsInRole("StoreManager"));
                Console.WriteLine("Discount of 10% has been applied");
            }
            catch
            {
                Console.WriteLine("no access");
            }
        }
    }
}

这样只有当StoreManager的人才能调用此方法，如果不是此类用户就会报SecurityException。

除上述特性外，还有KeyContainerPermissionAttribute，看程序是基于哪种做权限处理。