C# Role-based security

Question

I have a class library which contains my data base access layer, and i use it in all my projects which works with this DB, now i want to integrate security in this library so i can return different data for different security roles. What is the best way to achieve this with .NET build-in security? I was thinking about using System.Security.Permissions.PrincipalPermission but i can't see how it can help me out, because anyone using my library can write client application like this

GenericIdentity genericIdentity = new GenericIdentity("User");
GenericPrincipal genericPrincipal = new GenericPrincipal(genericIdentity, new[] { "Administrator" });
Thread.CurrentPrincipal = genericPrincipal;

And they will pass all my principal permission demands

PrincipalPermission principalPermission = new PrincipalPermission(null, "Administrator");
principalPermission.Demand();

without even authenticating. Either i don't understand this security model, or it just doesn't secure anything.

Answer 1

Role-based security is intended as a way for library code to consume the client's chosen security model without needing to know the implementation; the key here being that you are already at a point where it is reasonably to trust the client's security model, and you just want to offer appropriate options based on decisions made by the client (for example as part of a login process).

If you don't trust the client, all bets are off anyway, as they could just use reflection to rip your internals to shreds. In that scenario, it would be better to keep that implementation code private, for example via a web-service that accepts the user's credentials in some fashion. Then they can only be accounts that they have the credentials for.