This documentation is archived and is not being maintained.

IAuthorizationPolicy Interface

Defines a set of rules for authorizing a user, given a set of claims.

Namespace:  System.IdentityModel.Policy
Assembly:  System.IdentityModel (in System.IdentityModel.dll)

Public Interface IAuthorizationPolicy _
	Inherits IAuthorizationComponent
Dim instance As IAuthorizationPolicy

Implement the IAuthorizationPolicy interface to add or map one set of claims to another. An authorization policy examines a set of claims and adds additional claims based on the current set. For example, an authorization policy might evaluate a claim that contains the date of birth and add a claim that asserts that the user is over 21 years old and add an Over21 claim to the EvaluationContext.

Classes that implement the IAuthorizationPolicy interface do not authorize users, but they enable the ServiceAuthorizationManager class to do so. The ServiceAuthorizationManager calls the Evaluate method for each authorization policy in effect. The Evaluate method determines whether additional claims should be added for the user, based on the current context. An authorization policy's Evaluate method may be called multiple times, as claims are added to the EvaluationContext by other authorization policies. When all authorization policies in effect are done, the ServiceAuthorizationManager class makes authorization decisions based upon the final set of claims. The ServiceAuthorizationManager class then creates an AuthorizationContext that contains an immutable set of claims that reflects these authorization decisions.

Public Class MyAuthorizationPolicy
    Implements IAuthorizationPolicy
    Private value_id As String 

    Public Sub New()
        value_id = Guid.NewGuid().ToString()

    End Sub  

    Public Function Evaluate(ByVal evaluationContext As EvaluationContext, _
         ByRef state As Object) As Boolean Implements IAuthorizationPolicy.Evaluate

        Dim bRet As Boolean = False 
        Dim customstate As CustomAuthState = Nothing 

        ' If state is null, then this method has not been called before, so  
        ' set up a custom state. 
        If state Is Nothing Then
            customstate = New CustomAuthState()
            state = customstate
            customstate = CType(state, CustomAuthState)
        End If
        Console.WriteLine("Inside MyAuthorizationPolicy::Evaluate")

        ' If the claims have not been added yet... 
        If Not customstate.ClaimsAdded Then 
            ' Create an empty list of Claims 
            Dim claims As New List(Of Claim)

            ' Iterate through each of the claimsets in the evaluation context. 
            Dim cs As ClaimSet
            For Each cs In evaluationContext.ClaimSets
                ' Look for Name claims in the current claim set. 
                Dim c As Claim
                For Each c In cs.FindClaims(ClaimTypes.Name, Rights.PossessProperty)
                    ' Get the list of operations the given username is allowed to call. 
                    Dim s As String 
                    For Each s In GetAllowedOpList(c.Resource.ToString())

                        ' Add claims to the list
                        claims.Add(New Claim("", _
                                    s, Rights.PossessProperty))
                        Console.WriteLine("Claim added {0}", s)
                    Next s
                Next c
            Next cs 

            ' Add claims to the evaluation context.
            evaluationContext.AddClaimSet(Me, New DefaultClaimSet(Me.Issuer, claims))

            ' Record that claims have been added.
            customstate.ClaimsAdded = True 

            ' Return true, which indicates the method need not to be called again.
            bRet = True 
            ' Should never get here, but just in case...
            bRet = True 
        End If 

        Return bRet

    End Function 'Evaluate

    Public ReadOnly Property Issuer() As ClaimSet Implements IAuthorizationPolicy.Issuer

            Return ClaimSet.System
        End Get 
    End Property 

    Public ReadOnly Property Id() As String Implements IAuthorizationPolicy.Id

            Return value_id
        End Get 
    End Property 
    ' This method returns a collection of action strings that indicate the  
    ' operations that the specified username is allowed to call. 
    Private Shared Function GetAllowedOpList(ByVal username As String) As IEnumerable(Of String)

        Dim ret As New List(Of String)

        If username = "test1" Then
        ElseIf username = "test2" Then
        End If 
        Return ret

    End Function  

    ' This is an internal class for state. 
    Class CustomAuthState
        Private bClaimsAdded As Boolean 

        Public Sub New()

        End Sub  

        Public Property ClaimsAdded() As Boolean 
                Return bClaimsAdded
            End Get 
            Set(ByVal value As Boolean)
                bClaimsAdded = value
            End Set 
        End Property 
    End Class  
End Class

Windows 7, Windows Vista, Windows XP SP2, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

.NET Framework

Supported in: 3.5, 3.0