Implementing an Authorization Plug-in

The Windows Media Services authorization process is closely coupled to the authentication process. Before a client can be authorized to retrieve digital media, the identity of the client must be established by an authentication plug-in. The following steps describe how the server interacts with authorization and authentication plug-ins to authorize a client request. These steps are illustrated by the diagram that follows them:

1. The server calls GetAuthorizedEvents on the IWMSEventAuthorizationPlugin interface to retrieve an array of events that the authorization plug-in can authorize.

2. The server calls Authenticate on the IWMSAuthenticationContext interface of the first enabled anonymous authentication plug-in. Windows Media Services recognizes two basic authentication plug-in categories. Anonymous authentication plug-ins do not support a challenge and response dialogue between the server and the client. Typically, anonymous authentication plug-ins impersonate a guest account that has minimal privileges. For example, the default account for anonymous access to Windows Media Services is the Windows Media Services Guest Account. Non-anonymous authentication plug-ins such as the WMS Negotiate Authentication plug-in validate users based on logon credentials or, if the logon credentials fail, a challenge and response dialogue. If more than one anonymous authentication plug-in is enabled, the server uses only the one that was enabled first. You can use the SelectionOrder property on the IWMSPlugin interface to modify the plug-in order.

3. If the client is authenticated, the server calls AuthorizeEvent on the IWMSEventAuthorizationPlugin interface for all of the enabled authorization plug-ins. Each plug-in calls OnAuthorizeEvent on the IWMSEventAuthorizationCallback interface to indicate that it accepted or rejected the client request. If one of the plug-ins refuses to authorize the request, the server will not process it.

4. If one of the plug-ins in step 3 refuses to authorize the client request or if the client cannot be authenticated by the anonymous authentication plug-in, the server calls Authenticate on the IWMSAuthenticationContext interface of the first enabled non-anonymous authentication plug-in. If the client is authenticated, the server again iterates through the enabled authorization plug-ins to determine whether the client request can be processed. See step 2. If the client cannot be authenticated, the server disconnects it.

See Also (General)

• Creating Authorization Plug-ins

See Also (Visual Basic .NET)

• IWMSEventAuthorizationCallbackIWMSEventAuthorizationCallback Object (Visual Basic .NET)

• IWMSEventAuthorizationPluginIWMSEventAuthorizationPlugin Object (Visual Basic .NET)

• IWMSPlugin.SelectionOrderIWMSPlugin.SelectionOrder (Visual Basic .NET)

See Also (C#)

• IWMSEventAuthorizationCallbackIWMSEventAuthorizationCallback Object (C#)

• IWMSEventAuthorizationPluginIWMSEventAuthorizationPlugin Object (C#)

• IWMSPlugin.SelectionOrderIWMSPlugin.SelectionOrder (C#)

See Also (C++)

• IWMSEventAuthorizationCallbackIWMSEventAuthorizationCallback Interface

• IWMSEventAuthorizationPluginIWMSEventAuthorizationPlugin Interface

• IWMSPlugin::get_SelectionOrder