Export (0) Print
Expand All

ClaimsPrincipalPermissionAttribute Class

.NET Framework 4.5

Represents a security attribute used to declaratively assign access checks based on the logic provided by the ClaimsAuthorizationManager instance in the current application context. This class cannot be inherited.

System.Object
  System.Attribute
    System.Security.Permissions.SecurityAttribute
      System.Security.Permissions.CodeAccessSecurityAttribute
        System.IdentityModel.Services.ClaimsPrincipalPermissionAttribute

Namespace:  System.IdentityModel.Services
Assembly:  System.IdentityModel.Services (in System.IdentityModel.Services.dll)

[AttributeUsageAttribute(AttributeTargets.Class|AttributeTargets.Method|AttributeTargets.Property, AllowMultiple = true)]
public sealed class ClaimsPrincipalPermissionAttribute : CodeAccessSecurityAttribute

The ClaimsPrincipalPermissionAttribute type exposes the following members.

  NameDescription
Public methodClaimsPrincipalPermissionAttributeInitializes a new instance of the ClaimsPrincipalPermissionAttribute class.
Top

  NameDescription
Public propertyActionGets or sets a security action. (Inherited from SecurityAttribute.)
Public propertyOperationGets or sets the operation for which the current principal should be authorized on the specified resource.
Public propertyResourceGets or sets the resource on which the principal should be authorized to perform the specified action (operation).
Public propertyTypeIdWhen implemented in a derived class, gets a unique identifier for this Attribute. (Inherited from Attribute.)
Public propertyUnrestrictedGets or sets a value indicating whether full (unrestricted) permission to the resource protected by the attribute is declared. (Inherited from SecurityAttribute.)
Top

  NameDescription
Public methodCreatePermissionCreates new instance of the ClaimsPrincipalPermission class that is based on the current instance. (Overrides SecurityAttribute.CreatePermission().)
Public methodEqualsInfrastructure. Returns a value that indicates whether this instance is equal to a specified object. (Inherited from Attribute.)
Public methodGetHashCodeReturns the hash code for this instance. (Inherited from Attribute.)
Public methodGetTypeGets the Type of the current instance. (Inherited from Object.)
Public methodIsDefaultAttributeWhen overridden in a derived class, indicates whether the value of this instance is the default value for the derived class. (Inherited from Attribute.)
Public methodMatchWhen overridden in a derived class, returns a value that indicates whether this instance equals a specified object. (Inherited from Attribute.)
Public methodToStringReturns a string that represents the current object. (Inherited from Object.)
Top

  NameDescription
Explicit interface implemetationPrivate method_Attribute.GetIDsOfNamesMaps a set of names to a corresponding set of dispatch identifiers. (Inherited from Attribute.)
Explicit interface implemetationPrivate method_Attribute.GetTypeInfoRetrieves the type information for an object, which can be used to get the type information for an interface. (Inherited from Attribute.)
Explicit interface implemetationPrivate method_Attribute.GetTypeInfoCountRetrieves the number of type information interfaces that an object provides (either 0 or 1). (Inherited from Attribute.)
Explicit interface implemetationPrivate method_Attribute.InvokeProvides access to properties and methods exposed by an object. (Inherited from Attribute.)
Top

The ClaimsPrincipalPermissionAttribute is used to declaratively request an access check using the configured ClaimsAuthorizationManager.

You must specify one of the SecurityAction values, a Resource and an Operation in your ClaimsPrincipalPermissionAttribute declaration. The Resource and Operation properties specify the resource and action for which the current principal (Thread.CurrentPrincipal) must be authorized for execution to proceed. If the current principal is not authorized to perform the specified action (operation) on the specified resource, a SecurityException is thrown.

Important noteImportant

The ClaimsPrincipalPermissionAttribute class uses the claims authorization manager configured by the IdentityConfiguration that is set under the FederatedAuthentication.FederationConfiguration property. This is true in all cases, even in scenarios where WS-Federation is not used; for example, active (WCF) Web applications and Console applications. You can specify the claims authorization manager either in configuration or programmatically. To specify the claims authorization manager in a configuration file, set the <claimsAuthorizationManager> element under an <identityConfiguration> element and ensure that this identity configuration is referenced by the <federationConfiguration> element that is loaded by the runtime (for example, by setting the identityConfigurationName attribute). To set the claims authorization manager programmatically, provide a handler for the FederatedAuthentication.FederationConfigurationCreated event.

The following example shows how to protect a method by decorating it with the ClaimsPrincipalPermissionAttribute attribute. The attribute will evaluate whether access should be granted to the current principal by leveraging the logic provided by the ClaimsAuthorizationManager instance in the application context. If the current principal is not authorized for the specified action on the specified resource, a SecurityException is thrown; otherwise, execution proceeds.


// 
// Declarative access check using the permission class. The caller must satisfy both demands. 
//
[ClaimsPrincipalPermission(SecurityAction.Demand, Resource = "resource", Operation = "action")]
[ClaimsPrincipalPermission(SecurityAction.Demand, Resource = "resource1", Operation = "action1")]
static void ProtectedMethod()
{
}

The following XML shows the minimum configuration required to use a custom claims authorization manager with the ClaimsPrincipalPermissionAttribute class. You must, at a minimum, declare both the system.identityModel and the system.identityModel.services sections in the <configSection> element and then specify your authorization manager in a <claimsAuthorizationManager> element under the default identity configuration. This will ensure that your authorization manager is referenced from the default federation configuration. Alternatively, you can specify the name of the identity configuration under which your authorization manager is specified in the identityConfigurationName attribute of the <federationConfiguration> element.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <configSections>
    <!-- WIF configuration sections -->
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
  </configSections>
  
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
  </startup>
  
  <system.identityModel>
    <identityConfiguration>
      <claimsAuthorizationManager type ="MyClaimsAuthorizationManager.MyClaimsAuthorizationManager, MyClaimsAuthorizationManager"/>
    </identityConfiguration>
  </system.identityModel>
  
</configuration>

.NET Framework

Supported in: 4.6, 4.5

Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
Show:
© 2014 Microsoft