AuthorizationContext Class

.NET Framework (current version)
 

Provides context information of an authorization event. This includes the principal that represents the caller, the resource that is being requested, and the action that is being performed.

Namespace:   System.Security.Claims
Assembly:  System.IdentityModel (in System.IdentityModel.dll)

System.Object
  System.Security.Claims.AuthorizationContext

public class AuthorizationContext

NameDescription
System_CAPS_pubmethodAuthorizationContext(ClaimsPrincipal, Collection<Claim>, Collection<Claim>)

Initializes a new instance of the AuthorizationContext class with the specified principal, resource claim, and action claim.

System_CAPS_pubmethodAuthorizationContext(ClaimsPrincipal, String, String)

Initializes a new instance of the AuthorizationContext class with the specified principal, resource name, and action name.

NameDescription
System_CAPS_pubpropertyAction

Gets the action for which the principal is to be authorized.

System_CAPS_pubpropertyPrincipal

Gets the principal (subject) for which authorization is being requested.

System_CAPS_pubpropertyResource

Gets the resource on which the principal is to be authorized.

NameDescription
System_CAPS_pubmethodEquals(Object)

Determines whether the specified object is equal to the current object.(Inherited from Object.)

System_CAPS_protmethodFinalize()

Allows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection.(Inherited from Object.)

System_CAPS_pubmethodGetHashCode()

Serves as the default hash function. (Inherited from Object.)

System_CAPS_pubmethodGetType()

Gets the Type of the current instance.(Inherited from Object.)

System_CAPS_protmethodMemberwiseClone()

Creates a shallow copy of the current Object.(Inherited from Object.)

System_CAPS_pubmethodToString()

Returns a string that represents the current object.(Inherited from Object.)

The AuthorizationContext class represents the context that is used by a claims authorization manager, an implementation of the ClaimsAuthorizationManager class, to determine whether a principal (subject) should be authorized to perform a specified action on a given resource. The claims authorization manager evaluates the authorization context in the CheckAccess method and either denies or grants access based on the claims presented by the principal.

The Principal property contains the principal for which authorization is being requested, the Resource property contains the resource on which the principal is being authorized, and the Action property contains the actions that the principal intends to perform on the resource. Both the resource and the action are represented as a collection of claims; however, in most cases, each collection contains a single claim.

The code example that is used in the AuthorizationContext topic is taken from the Claims Based Authorization sample. This sample provides a custom claims authorization manager that can authorize subjects based on a policy that is specified in configuration. This custom manager consists of three basic components: a class derived from ClaimsAuthorizationManager that implements the manager, the ResourceAction class that pairs a resource and an action, and a policy reader that reads and compiles policy that is specified in the configuration file. This compiled policy can then be used by the claims authorization manager to evaluate a principal in order to authorize access to resources. Not all elements are shown for the sake of brevity. For information about this sample and other samples available for WIF and about where to download them, see WIF Code Sample Index.

The following code shows the CheckAccess method for the custom claims authorization manager. A function that evaluates the principal based on the resource and action specified in the AuthorizationContext is invoked. This function returns either true or false, which either grants or denies access to the principal.

static Dictionary<ResourceAction, Func<ClaimsPrincipal, bool>> _policies = new Dictionary<ResourceAction, Func<ClaimsPrincipal, bool>>();
PolicyReader _policyReader = new PolicyReader();
    /// <summary>
    /// Checks if the principal specified in the authorization context is authorized to perform action specified in the authorization context 
    /// on the specified resoure
    /// </summary>
    /// <param name="pec">Authorization context</param>
    /// <returns>true if authorized, false otherwise</returns>
    public override bool CheckAccess(AuthorizationContext pec)
    {
        //
        // Evaluate the policy against the claims of the 
        // principal to determine access
        //
        bool access = false;
        try
        {
            ResourceAction ra = new ResourceAction(pec.Resource.First<Claim>().Value, pec.Action.First<Claim>().Value);

            access = _policies[ra](pec.Principal);
        }
        catch (Exception)
        {
            access = false;
        }

        return access;
    }
}

The following XML shows an example of the authorization policy that was specified in configuration. In the first policy, the principal must possess one of the specified claims in order to perform the specified action on the specified resource. In the second policy, the principal must possess both claims to be able to perform the specified action on the specified resource. In all others, the principal is automatically granted access regardless of the claims it possesses.

<system.identityModel>
  <identityConfiguration>
    <claimsAuthorizationManager type="ClaimsAuthorizationLibrary.MyClaimsAuthorizationManager, ClaimsAuthorizationLibrary">
      <policy resource="http://localhost:28491/Developers.aspx" action="GET">
        <or>
          <claim claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" claimValue="developer" />
          <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
        </or>
      </policy>
      <policy resource="http://localhost:28491/Administrators.aspx" action="GET">
        <and>
          <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
          <claim claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" claimValue="USA" />
        </and>
      </policy>
      <policy resource="http://localhost:28491/Default.aspx" action="GET">
      </policy>
      <policy resource="http://localhost:28491/" action="GET">
      </policy>
      <policy resource="http://localhost:28491/Claims.aspx" action="GET">
      </policy>
    </claimsAuthorizationManager>

    ...

  </identityConfiguration>
</system.identityModel>

.NET Framework
Available since 4.5

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Return to top
Show: