How to: Examine the Security Context


When programming Windows Communication Foundation (WCF) services, the service security context enables you to determine details about the client credentials and claims used to authenticate with the service. This is done by using the properties of the ServiceSecurityContext class.

For example, you can retrieve the identity of the current client by using the PrimaryIdentity or the WindowsIdentity property. To determine whether the client is anonymous, use the IsAnonymous property.

You can also determine what claims are being made on behalf of the client by iterating through the collection of claims in the AuthorizationContext property.

To get the current security context

  • Access the static property Current to get the current security context. Examine any of the properties of the current context from the reference.

To determine the identity of the caller

  1. Print the value of the PrimaryIdentity and WindowsIdentity properties.

To parse the claims of a caller

  1. Return the current AuthorizationContext class. Use the Current property to return the current service security context, then return the AuthorizationContext using the AuthorizationContext property.

  2. Parse the collection of ClaimSet objects returned by the ClaimSets property of the AuthorizationContext class.

The following example prints the values of the WindowsIdentity and PrimaryIdentity properties of the current security context and the ClaimType property, the resource value of the claim, and the Right property of every claim in the current security context.

        // Run this method from within a method protected by the PrincipalPermissionAttribute
        // to see the security context data, including the primary identity.
        public void WriteServiceSecurityContextData(string fileName)
            using (StreamWriter sw = new StreamWriter(fileName))
                // Write the primary identity and Windows identity. The primary identity is derived from
                // the credentials used to authenticate the user. The Windows identity may be a null string.
                sw.WriteLine("PrimaryIdentity: {0}", ServiceSecurityContext.Current.PrimaryIdentity.Name);
                sw.WriteLine("WindowsIdentity: {0}", ServiceSecurityContext.Current.WindowsIdentity.Name);
                // Write the claimsets in the authorization context. By default, there is only one claimset
                // provided by the system. 
                foreach (ClaimSet claimset in ServiceSecurityContext.Current.AuthorizationContext.ClaimSets)
                    foreach (Claim claim in claimset)
                        // Write out each claim type, claim value, and the right. There are two
                        // possible values for the right: "identity" and "possessproperty". 
                        sw.WriteLine("Claim Type = {0}", claim.ClaimType);
                        sw.WriteLine("\t Resource = {0}", claim.Resource.ToString());
                        sw.WriteLine("\t Right = {0}", claim.Right);

The code uses the following namespaces:

Securing Services
Service Identity and Authentication