Understand WCF claims-based Security (I)

A lot of information related to WCF Claims-Based security can be found from the web, below are some links

Building a Claims-Based Security Model in WCF
Fundamentals of WCF Security

Understand the WCF Identity Model is one of the key to successfully build a custom security solution. This post is just my notes when I am trying to build a Federated Security System.

Accessing ClaimSets

We access the claimsets from ServiceSecurityContext object

foreach (ClaimSet cs in
   operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets)
{
   // do something
}

Service Authorization Manager

ServiceAuthorizationManager is part of the WCF Identity Model Infrastructure, more details information can be found here. Below is how to use a custom service authorization manager and a simple service authorization manager looks like

<behaviors>
  <servicebehaviors>
    <behavior name="ServiceBehavior">
      <serviceauthorization principalPermissionMode="None"
        serviceAuthorizationManagerType=
          "ServiceAuthorizationManagers.AccessChecker,ServiceAuthorizationManagers" />
      <servicemetadata httpGetEnabled="true"/>
    </behavior>
  </servicebehaviors>
</behaviors>

AccessChecker implementation, CheckAccessCore is the core method, in this implementation, it finds the “name” claim and uses a Roles Provider to do the authorization

public class AccessChecker : ServiceAuthorizationManager
{
   const string NAME_CLAIM = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name";
   private Dictionary<string , string&#91;&#93;> _requirements = null;

   public AccessChecker()
   {
      // initializing...
   }

   protected override bool CheckAccessCore(OperationContext operationContext)
   {
      string header =
         operationContext.RequestContext.RequestMessage.Headers.Action;
      string[] requiredRoles;
      if (!this._requirements.TryGetValue(header, out requiredRoles))
      {
         return false;
      }

      foreach (ClaimSet cs in
         operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets)
      {
         foreach (Claim c in cs)
         {
            if (string.Compare(c.ClaimType, NAME_CLAIM, true) != 0)
               continue;
            foreach (string role in requiredRoles)
            {
               // c.Resource contains the user name
               if (Roles.Provider.IsUserInRole((string)c.Resource, role))
                  return true;
            }
         }
      }
      return false;
   }
}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s