I have a group (TESTGROUP) defined on my machine. I'm running this
code as a member of that group. It succeeds because I'm a member of
TESTGROUP:

class Program
{
static void Main(string[] args)
{
try
{

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
PrincipalPermission pp = new PrincipalPermission(null,
@"ADJXPWS006\TESTGROUP");
pp.Demand();
.....proceeds ok...


The following code, which instead has a declarative demand for the
same group membership, throws a security exception immediately.

class Program
{
[PrincipalPermission(SecurityAction.Demand, Role =
@"ADJXPWS006\TESTGROUP")]
static void Main(string[] args)
{
try
{
......

The two scenarios are not equivalent, but can anyone explain why
please? Thanks.

since the attribute is on Main - this runs before you can set Thread.CurrentPrincipal
- which is done by calling

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);

PrincipalPermission relies on the correct population of this property.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

[quoted text, click to view]