Export (0) Print
Expand All

IAuthorizationPolicy Interface

Defines a set of rules for authorizing a user, given a set of claims.

Namespace:  System.IdentityModel.Policy
Assembly:  System.IdentityModel (in System.IdentityModel.dll)

public interface IAuthorizationPolicy : IAuthorizationComponent

The IAuthorizationPolicy type exposes the following members.

  NameDescription
Public propertyIdGets a string that identifies this authorization component. (Inherited from IAuthorizationComponent.)
Public propertyIssuerGets a claim set that represents the issuer of the authorization policy.
Top

  NameDescription
Public methodEvaluateEvaluates whether a user meets the requirements for this authorization policy.
Top

Implement the IAuthorizationPolicy interface to add or map one set of claims to another. An authorization policy examines a set of claims and adds additional claims based on the current set. For example, an authorization policy might evaluate a claim that contains the date of birth and add a claim that asserts that the user is over 21 years old and add an Over21 claim to the EvaluationContext.

Classes that implement the IAuthorizationPolicy interface do not authorize users, but they enable the ServiceAuthorizationManager class to do so. The ServiceAuthorizationManager calls the Evaluate method for each authorization policy in effect. The Evaluate method determines whether additional claims should be added for the user, based on the current context. An authorization policy's Evaluate method may be called multiple times, as claims are added to the EvaluationContext by other authorization policies. When all authorization policies in effect are done, the ServiceAuthorizationManager class makes authorization decisions based upon the final set of claims. The ServiceAuthorizationManager class then creates an AuthorizationContext that contains an immutable set of claims that reflects these authorization decisions.


        public class MyAuthorizationPolicy : IAuthorizationPolicy
        {
            string id;

            public MyAuthorizationPolicy()
            {
                id =  Guid.NewGuid().ToString();
            }

            public bool Evaluate(EvaluationContext evaluationContext, ref object state)
            {
                bool bRet = false;
                CustomAuthState customstate = null;

                // If state is null, then this method has not been called before, so 
                // set up a custom state.
                if (state == null)
                {
                    customstate = new CustomAuthState();
                    state = customstate;
                }
                else
                    customstate = (CustomAuthState)state;

                Console.WriteLine("Inside MyAuthorizationPolicy::Evaluate");

                // If claims have not been added yet...
                if (!customstate.ClaimsAdded)
                {
                    // Create an empty list of Claims.
                    IList<Claim> claims = new List<Claim>();

                    // Iterate through each of the claim sets in the evaluation context.
                    foreach (ClaimSet cs in evaluationContext.ClaimSets)
                        // Look for Name claims in the current claim set.
                        foreach (Claim c in cs.FindClaims(ClaimTypes.Name, Rights.PossessProperty))
                            // Get the list of operations the given username is allowed to call.
                            foreach (string s in GetAllowedOpList(c.Resource.ToString()))
                            {
                                // Add claims to the list.
                                claims.Add(new Claim("http://example.org/claims/allowedoperation", s, Rights.PossessProperty));
                                Console.WriteLine("Claim added {0}", s);
                            }

                    // Add claims to the evaluation context.
                    evaluationContext.AddClaimSet(this, new DefaultClaimSet(this.Issuer,claims));

                    // Record that claims have been added.
                    customstate.ClaimsAdded = true;

                    // Return true, which indicates this need not be called again.
                    bRet = true;
                }
                else
                {
                    // This point should not be reached, but just in case...
                    bRet = true;
                }


                return bRet;
            }
            public ClaimSet Issuer
            {
                get { return ClaimSet.System; }
            }

            public string Id
            {
                get { return id; }
            }

            // This method returns a collection of action strings that indicate the 
            // operations that the specified username is allowed to call.
            private IEnumerable<string> GetAllowedOpList(string username)
            {
                IList<string> ret = new List<string>();

                if (username == "test1")
                {
                    ret.Add ( "http://Microsoft.ServiceModel.Samples/ICalculator/Add");
                    ret.Add ("http://Microsoft.ServiceModel.Samples/ICalculator/Multiply");
                    ret.Add("http://Microsoft.ServiceModel.Samples/ICalculator/Subtract");
                }
                else if (username == "test2")
                {
                    ret.Add ( "http://Microsoft.ServiceModel.Samples/ICalculator/Add");
                    ret.Add ("http://Microsoft.ServiceModel.Samples/ICalculator/Subtract");
                }
                return ret;
            }

            // internal class for state
            class CustomAuthState
            {
                bool bClaimsAdded;

                public CustomAuthState()
                {
                    bClaimsAdded = false;
                }

                public bool ClaimsAdded { get { return bClaimsAdded; } 
                                          set {  bClaimsAdded = value; } }
            }
        }



.NET Framework

Supported in: 4, 3.5, 3.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Community Additions

ADD
Show:
© 2014 Microsoft