Improving WIF’s Claims-based Authorization – Part 2

In the last post I showed you how to take control over the invocation of ClaimsAuthorizationManager. Then you have complete freedom over the claim types, the amount of claims and the values.

In addition I added two attributes that invoke the authorization manager using an “application claim type”. This way it is very easy to distinguish between authorization calls that originate from WIF’s per-request authorization and the ones from “within” you application.

The attribute comes in two flavours: a CAS attribute (invoked by the CLR) and an ASP.NET MVC attribute (for MVC controllers, invoke by the MVC plumbing). Both also feature static methods to easily call them using the application claim types.

The CAS attribute is part of Thinktecture.IdentityModel on Codeplex (or via NuGet: Install-Package Thinktecture.IdentityModel). If you really want to see that code ;) There is also a sample included in the Codeplex donwload.

The MVC attribute is currently used in Thinktecture.IdentityServer – and I don’t currently plan to make it part of the library project since I don’t want to add a dependency on MVC for now.

You can find the code below – and I will write about its usage in a follow-up post.

public class ClaimsAuthorize : AuthorizeAttribute
{
   
private string
_resource;
   
private string
_action;
   
private string
[] _additionalResources;

   
/// <summary>
    /// Default action claim type.
    /// </summary>
    public const string ActionType = "http://application/claims/authorization/action"
;


   
/// <summary>
    /// Default resource claim type
    /// </summary>
    public const string ResourceType = "http://application/claims/authorization/resource"
;

   
/// <summary>
    /// Additional resource claim type
    /// </summary>
    public const string AdditionalResourceType = "http://application/claims/authorization/additionalresource"

    

    public ClaimsAuthorize(string action, string resource, params string[] additionalResources)
    {
        _action = action;
        _resource = resource;
        _additionalResources = additionalResources;
    }

    public static bool CheckAccess(
     
string action, string resource, params string
[] additionalResources)
    {
       
return
CheckAccess(
           
Thread.CurrentPrincipal as IClaimsPrincipal
,
            action,
            resource,
            additionalResources);
    }

    public static bool CheckAccess(
     
IClaimsPrincipal principal, string action, string resource, params string
[] additionalResources)
    {
       
var
context = CreateAuthorizationContext(
            principal,
            action,
            resource,
            additionalResources);

        return ClaimsAuthorization.CheckAccess(context);
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
       
return
CheckAccess(_action, _resource, _additionalResources);
    }

    private static WIF.AuthorizationContext CreateAuthorizationContext(
     
IClaimsPrincipal principal, string action, string resource, params string
[] additionalResources)
    {
       
var actionClaims = new Collection<Claim
>
        {
           
new Claim
(ActionType, action)
        };

        var resourceClaims = new Collection<Claim>
        {
           
new Claim
(ResourceType, resource)
        };

        if (additionalResources != null && additionalResources.Length > 0)
        {
            additionalResources.ToList().ForEach(ar => resourceClaims.Add(
             
new Claim
(AdditionalResourceType, ar)));
        }

        return new WIF.AuthorizationContext(
            principal,
            resourceClaims,
            actionClaims);
    }
}

This entry was posted in IdentityModel. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s