Modifier

Partager via


AuthorizationContext Class

Definition

Provides context information of an authorization event. This includes the principal that represents the caller, the resource that is being requested, and the action that is being performed.

public ref class AuthorizationContext
public class AuthorizationContext
type AuthorizationContext = class
Public Class AuthorizationContext
Inheritance
AuthorizationContext

Examples

The code example that is used in the AuthorizationContext topic is taken from the Claims Based Authorization sample. This sample provides a custom claims authorization manager that can authorize subjects based on a policy that is specified in configuration. This custom manager consists of three basic components: a class derived from ClaimsAuthorizationManager that implements the manager, the ResourceAction class that pairs a resource and an action, and a policy reader that reads and compiles policy that is specified in the configuration file. This compiled policy can then be used by the claims authorization manager to evaluate a principal in order to authorize access to resources. Not all elements are shown for the sake of brevity. For information about this sample and other samples available for WIF and about where to download them, see WIF Code Sample Index.

The following code shows the CheckAccess method for the custom claims authorization manager. A function that evaluates the principal based on the resource and action specified in the AuthorizationContext is invoked. This function returns either true or false, which either grants or denies access to the principal.

static Dictionary<ResourceAction, Func<ClaimsPrincipal, bool>> _policies = new Dictionary<ResourceAction, Func<ClaimsPrincipal, bool>>();
PolicyReader _policyReader = new PolicyReader();
    /// <summary>
    /// Checks if the principal specified in the authorization context is authorized to perform action specified in the authorization context 
    /// on the specified resoure
    /// </summary>
    /// <param name="pec">Authorization context</param>
    /// <returns>true if authorized, false otherwise</returns>
    public override bool CheckAccess(AuthorizationContext pec)
    {
        //
        // Evaluate the policy against the claims of the 
        // principal to determine access
        //
        bool access = false;
        try
        {
            ResourceAction ra = new ResourceAction(pec.Resource.First<Claim>().Value, pec.Action.First<Claim>().Value);

            access = _policies[ra](pec.Principal);
        }
        catch (Exception)
        {
            access = false;
        }

        return access;
    }
}

The following XML shows an example of the authorization policy that was specified in configuration. In the first policy, the principal must possess one of the specified claims in order to perform the specified action on the specified resource. In the second policy, the principal must possess both claims to be able to perform the specified action on the specified resource. In all others, the principal is automatically granted access regardless of the claims it possesses.

<system.identityModel>
  <identityConfiguration>
    <claimsAuthorizationManager type="ClaimsAuthorizationLibrary.MyClaimsAuthorizationManager, ClaimsAuthorizationLibrary">
      <policy resource="http://localhost:28491/Developers.aspx" action="GET">
        <or>
          <claim claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" claimValue="developer" />
          <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
        </or>
      </policy>
      <policy resource="http://localhost:28491/Administrators.aspx" action="GET">
        <and>
          <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
          <claim claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" claimValue="USA" />
        </and>
      </policy>
      <policy resource="http://localhost:28491/Default.aspx" action="GET">
      </policy>
      <policy resource="http://localhost:28491/" action="GET">
      </policy>
      <policy resource="http://localhost:28491/Claims.aspx" action="GET">
      </policy>
    </claimsAuthorizationManager>

    ...

  </identityConfiguration>
</system.identityModel>

Remarks

The AuthorizationContext class represents the context that is used by a claims authorization manager, an implementation of the ClaimsAuthorizationManager class, to determine whether a principal (subject) should be authorized to perform a specified action on a given resource. The claims authorization manager evaluates the authorization context in the CheckAccess method and either denies or grants access based on the claims presented by the principal.

The Principal property contains the principal for which authorization is being requested, the Resource property contains the resource on which the principal is being authorized, and the Action property contains the actions that the principal intends to perform on the resource. Both the resource and the action are represented as a collection of claims; however, in most cases, each collection contains a single claim.

Constructors

AuthorizationContext(ClaimsPrincipal, Collection<Claim>, Collection<Claim>)

Initializes a new instance of the AuthorizationContext class with the specified principal, resource claim, and action claim.

AuthorizationContext(ClaimsPrincipal, String, String)

Initializes a new instance of the AuthorizationContext class with the specified principal, resource name, and action name.

Properties

Action

Gets the action for which the principal is to be authorized.

Principal

Gets the principal (subject) for which authorization is being requested.

Resource

Gets the resource on which the principal is to be authorized.

Methods

Equals(Object)

Determines whether the specified object is equal to the current object.

(Inherited from Object)
GetHashCode()

Serves as the default hash function.

(Inherited from Object)
GetType()

Gets the Type of the current instance.

(Inherited from Object)
MemberwiseClone()

Creates a shallow copy of the current Object.

(Inherited from Object)
ToString()

Returns a string that represents the current object.

(Inherited from Object)

Applies to