使用ClaimsPrincipalPermission和ADFS 2.0返回的声明注释类

Question

I am using a claims enable web app. I want to lock down a web page with a custom attribute to allow access to the page if a certain claim(s) is present..

I could do the following

Claim claim = claimsIdentity.Claims.FirstOrDefault(c => c.ClaimType 
== "http://somedomain.com/claims/MemberOfGroup" && c.Value == "domain\\test group");

and redirect them away from the page if claim is null..

But how could I do this by annotating the class.

I was looking at the ClaimsPrincipalPermission

[ClaimsPrincipalPermission(SecurityAction.Demand, Resource="", Operation="")]

but for life of me can't see what to put into resource and operation. How do I get my claim that is returned by adfs into a claimsprincipalpermission . Do I need to write a lot of custom classes to do this?

Thanks,

Answer 1

You will have to create your own AuthorizationManager class that inherits from ClaimsAuthorizationManager and override the CheckAccess() method. This method will be called for any method decorated with the ClaimsPrincipalPermission attribute. It will be passed an AuthorizationContext object that contains the Resource string, the Operation String and the IPrincipal Object that contains all the claims the current user has. Inside this method you can parse this data any way you choose to determine access and return true or false.

In the WIF SDK samples, you will find a simple, console app project called ClaimsAuthorization that demonstrates this. It uses the resource and operation to look in the application config file to see what claims the user needs and returns true or false accordingly. Of course, you don't have to do that, you can use any other logic you choose.

The sample is usually under C:\\Program Files (x86)\\Windows Identity Foundation SDK\\v4.0\\Samples\\Extensibility\\Claims based Authorization

Hope that helps