Export (0) Print
Expand All

AuthorizationContext Class

.NET Framework 4.5

Provides context information of an authorization event. This includes the principal that represents the caller, the resource that is being requested, and the action that is being performed.

System.Object
  System.Security.Claims.AuthorizationContext

Namespace:  System.Security.Claims
Assembly:  System.IdentityModel (in System.IdentityModel.dll)

'Declaration
Public Class AuthorizationContext

The AuthorizationContext type exposes the following members.

  NameDescription
Public methodAuthorizationContext(ClaimsPrincipal, Collection(Of Claim), Collection(Of Claim))Initializes a new instance of the AuthorizationContext class with the specified principal, resource claim, and action claim.
Public methodAuthorizationContext(ClaimsPrincipal, String, String)Initializes a new instance of the AuthorizationContext class with the specified principal, resource name, and action name.
Top

  NameDescription
Public propertyActionGets the action for which the principal is to be authorized.
Public propertyPrincipalGets the principal (subject) for which authorization is being requested.
Public propertyResourceGets the resource on which the principal is to be authorized.
Top

  NameDescription
Public methodEquals(Object)Determines whether the specified object is equal to the current object. (Inherited from Object.)
Protected methodFinalizeAllows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. (Inherited from Object.)
Public methodGetHashCodeServes as the default hash function. (Inherited from Object.)
Public methodGetTypeGets the Type of the current instance. (Inherited from Object.)
Protected methodMemberwiseCloneCreates a shallow copy of the current Object. (Inherited from Object.)
Public methodToStringReturns a string that represents the current object. (Inherited from Object.)
Top

The AuthorizationContext class represents the context that is used by a claims authorization manager, an implementation of the ClaimsAuthorizationManager class, to determine whether a principal (subject) should be authorized to perform a specified action on a given resource. The claims authorization manager evaluates the authorization context in the CheckAccess method and either denies or grants access based on the claims presented by the principal.

The Principal property contains the principal for which authorization is being requested, the Resource property contains the resource on which the principal is being authorized, and the Action property contains the actions that the principal intends to perform on the resource. Both the resource and the action are represented as a collection of claims; however, in most cases, each collection contains a single claim.

The code example that is used in the AuthorizationContext topic is taken from the Claims Based Authorization sample. This sample provides a custom claims authorization manager that can authorize subjects based on a policy that is specified in configuration. This custom manager consists of three basic components: a class derived from ClaimsAuthorizationManager that implements the manager, the ResourceAction class that pairs a resource and an action, and a policy reader that reads and compiles policy that is specified in the configuration file. This compiled policy can then be used by the claims authorization manager to evaluate a principal in order to authorize access to resources. Not all elements are shown for the sake of brevity. For information about this sample and other samples available for WIF and about where to download them, see WIF Code Sample Index.

The following code shows the CheckAccess method for the custom claims authorization manager. A function that evaluates the principal based on the resource and action specified in the AuthorizationContext is invoked. This function returns either true or false, which either grants or denies access to the principal.

static Dictionary<ResourceAction, Func<ClaimsPrincipal, bool>> _policies = new Dictionary<ResourceAction, Func<ClaimsPrincipal, bool>>();
PolicyReader _policyReader = new PolicyReader();


...


    /// <summary> 
    /// Checks if the principal specified in the authorization context is authorized to perform action specified in the authorization context  
    /// on the specified resoure 
    /// </summary> 
    /// <param name="pec">Authorization context</param>
    /// <returns>true if authorized, false otherwise</returns> 
    public override bool CheckAccess(AuthorizationContext pec)
    {
        // 
        // Evaluate the policy against the claims of the  
        // principal to determine access 
        // 
        bool access = false;
        try
        {
            ResourceAction ra = new ResourceAction(pec.Resource.First<Claim>().Value, pec.Action.First<Claim>().Value);

            access = _policies[ra](pec.Principal);
        }
        catch (Exception)
        {
            access = false;
        }

        return access;
    }
}

The following XML shows an example of the authorization policy that was specified in configuration. In the first policy, the principal must possess one of the specified claims in order to perform the specified action on the specified resource. In the second policy, the principal must possess both claims to be able to perform the specified action on the specified resource. In all others, the principal is automatically granted access regardless of the claims it possesses.

  <system.identityModel>
    <identityConfiguration>
      <claimsAuthorizationManager type="ClaimsAuthorizationLibrary.MyClaimsAuthorizationManager, ClaimsAuthorizationLibrary">
        <policy resource="http://localhost:28491/Developers.aspx" action="GET">
          <or>
            <claim claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" claimValue="developer" />
            <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
          </or>
        </policy>
        <policy resource="http://localhost:28491/Administrators.aspx" action="GET">
          <and>
            <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
            <claim claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" claimValue="USA" />
          </and>
        </policy>
        <policy resource="http://localhost:28491/Default.aspx" action="GET">
        </policy>
        <policy resource="http://localhost:28491/" action="GET">
        </policy>
        <policy resource="http://localhost:28491/Claims.aspx" action="GET">
        </policy>
      </claimsAuthorizationManager>
      
      ...
            
    </identityConfiguration>
  </system.identityModel>

.NET Framework

Supported in: 4.5

Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
Show:
© 2014 Microsoft