Share via

ClaimsPrincipalPermissionAttribute Class


Represents a security attribute used to declaratively assign access checks based on the logic provided by the ClaimsAuthorizationManager instance in the current application context. This class cannot be inherited.

public ref class ClaimsPrincipalPermissionAttribute sealed : System::Security::Permissions::CodeAccessSecurityAttribute
[System.AttributeUsage(System.AttributeTargets.Class | System.AttributeTargets.Method | System.AttributeTargets.Property, AllowMultiple=true)]
public sealed class ClaimsPrincipalPermissionAttribute : System.Security.Permissions.CodeAccessSecurityAttribute
[<System.AttributeUsage(System.AttributeTargets.Class | System.AttributeTargets.Method | System.AttributeTargets.Property, AllowMultiple=true)>]
type ClaimsPrincipalPermissionAttribute = class
    inherit CodeAccessSecurityAttribute
Public NotInheritable Class ClaimsPrincipalPermissionAttribute
Inherits CodeAccessSecurityAttribute


The following example shows how to protect a method by decorating it with the ClaimsPrincipalPermissionAttribute attribute. The attribute will evaluate whether access should be granted to the current principal by leveraging the logic provided by the ClaimsAuthorizationManager instance in the application context. If the current principal is not authorized for the specified action on the specified resource, a SecurityException is thrown; otherwise, execution proceeds.

// Declarative access check using the permission class. The caller must satisfy both demands.
[ClaimsPrincipalPermission(SecurityAction.Demand, Resource = "resource", Operation = "action")]
[ClaimsPrincipalPermission(SecurityAction.Demand, Resource = "resource1", Operation = "action1")]
static void ProtectedMethod()

The following XML shows the minimum configuration required to use a custom claims authorization manager with the ClaimsPrincipalPermissionAttribute class. You must, at a minimum, declare both the system.identityModel and the system.identityModel.services sections in the <configSection> element and then specify your authorization manager in a <claimsAuthorizationManager> element under the default identity configuration. This will ensure that your authorization manager is referenced from the default federation configuration. Alternatively, you can specify the name of the identity configuration under which your authorization manager is specified in the identityConfigurationName attribute of the <federationConfiguration> element.

<?xml version="1.0" encoding="utf-8" ?>  
    <!-- WIF configuration sections -->  
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>  
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>  

    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />  

      <claimsAuthorizationManager type ="MyClaimsAuthorizationManager.MyClaimsAuthorizationManager, MyClaimsAuthorizationManager"/>  



The ClaimsPrincipalPermissionAttribute is used to declaratively request an access check using the configured ClaimsAuthorizationManager.

You must specify one of the SecurityAction values, a Resource and an Operation in your ClaimsPrincipalPermissionAttribute declaration. The Resource and Operation properties specify the resource and action for which the current principal (Thread.CurrentPrincipal) must be authorized for execution to proceed. If the current principal is not authorized to perform the specified action (operation) on the specified resource, a SecurityException is thrown.


The ClaimsPrincipalPermissionAttribute class uses the claims authorization manager configured by the IdentityConfiguration that is set under the FederatedAuthentication.FederationConfiguration property. This is true in all cases, even in scenarios where WS-Federation is not used; for example, active (WCF) Web applications and Console applications. You can specify the claims authorization manager either in configuration or programmatically. To specify the claims authorization manager in a configuration file, set the <claimsAuthorizationManager> element under an <identityConfiguration> element and ensure that this identity configuration is referenced by the <federationConfiguration> element that is loaded by the runtime (for example, by setting the identityConfigurationName attribute). To set the claims authorization manager programmatically, provide a handler for the FederatedAuthentication.FederationConfigurationCreated event.



Initializes a new instance of the ClaimsPrincipalPermissionAttribute class.



Gets or sets a security action.

(Inherited from SecurityAttribute)

Gets or sets the operation for which the current principal should be authorized on the specified resource.


Gets or sets the resource on which the principal should be authorized to perform the specified action (operation).


When implemented in a derived class, gets a unique identifier for this Attribute.

(Inherited from Attribute)

Gets or sets a value indicating whether full (unrestricted) permission to the resource protected by the attribute is declared.

(Inherited from SecurityAttribute)



Creates new instance of the ClaimsPrincipalPermission class that is based on the current instance.


Returns a value that indicates whether this instance is equal to a specified object.

(Inherited from Attribute)

Returns the hash code for this instance.

(Inherited from Attribute)

Gets the Type of the current instance.

(Inherited from Object)

When overridden in a derived class, indicates whether the value of this instance is the default value for the derived class.

(Inherited from Attribute)

When overridden in a derived class, returns a value that indicates whether this instance equals a specified object.

(Inherited from Attribute)

Creates a shallow copy of the current Object.

(Inherited from Object)

Returns a string that represents the current object.

(Inherited from Object)

Explicit Interface Implementations

_Attribute.GetIDsOfNames(Guid, IntPtr, UInt32, UInt32, IntPtr)

Maps a set of names to a corresponding set of dispatch identifiers.

(Inherited from Attribute)
_Attribute.GetTypeInfo(UInt32, UInt32, IntPtr)

Retrieves the type information for an object, which can be used to get the type information for an interface.

(Inherited from Attribute)

Retrieves the number of type information interfaces that an object provides (either 0 or 1).

(Inherited from Attribute)
_Attribute.Invoke(UInt32, Guid, UInt32, Int16, IntPtr, IntPtr, IntPtr, IntPtr)

Provides access to properties and methods exposed by an object.

(Inherited from Attribute)

Applies to

See also