ServiceAuthorizationManager.CheckAccessCore(OperationContext) Method

Reference

Definition

Namespace:: System.ServiceModel

Assembly:: System.ServiceModel.dll

Important

Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Checks authorization for the given operation context based on default policy evaluation.

protected:
 virtual bool CheckAccessCore(System::ServiceModel::OperationContext ^ operationContext);

protected virtual bool CheckAccessCore (System.ServiceModel.OperationContext operationContext);

abstract member CheckAccessCore : System.ServiceModel.OperationContext -> bool
override this.CheckAccessCore : System.ServiceModel.OperationContext -> bool

Protected Overridable Function CheckAccessCore (operationContext As OperationContext) As Boolean

Parameters

operationContext: OperationContext

The OperationContext for the current authorization request.

Returns

Boolean

true if access is granted; otherwise, false. The default is true.

Examples

The following example shows an override of the CheckAccessCore method.

protected override bool CheckAccessCore(OperationContext operationContext)
{
  // Extract the action URI from the OperationContext. Match this against the claims
  // in the AuthorizationContext.
  string action = operationContext.RequestContext.RequestMessage.Headers.Action;

  // Iterate through the various claim sets in the AuthorizationContext.
  foreach(ClaimSet cs in operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets)
  {
    // Examine only those claim sets issued by System.
    if (cs.Issuer == ClaimSet.System)
    {
      // Iterate through claims of type "http://www.contoso.com/claims/allowedoperation".
        foreach (Claim c in cs.FindClaims("http://www.contoso.com/claims/allowedoperation", Rights.PossessProperty))
      {
        // If the Claim resource matches the action URI then return true to allow access.
        if (action == c.Resource.ToString())
          return true;
      }
    }
  }

  // If this point is reached, return false to deny access.
  return false;
}

Protected Overrides Function CheckAccessCore(ByVal operationContext As OperationContext) As Boolean 
    ' Extract the action URI from the OperationContext. Match this against the claims.
    ' in the AuthorizationContext.
    Dim action As String = operationContext.RequestContext.RequestMessage.Headers.Action
    
    ' Iterate through the various claimsets in the AuthorizationContext.
    Dim cs As ClaimSet
    For Each cs In  operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets
        ' Examine only those claim sets issued by System.
        If cs.Issuer Is ClaimSet.System Then
            ' Iterate through claims of type "http://www.contoso.com/claims/allowedoperation".
            Dim c As Claim
            For Each c In  cs.FindClaims("http://www.contoso.com/claims/allowedoperation", _
                 Rights.PossessProperty)
                ' If the Claim resource matches the action URI then return true to allow access.
                If action = c.Resource.ToString() Then
                    Return True
                End If
            Next c
        End If
    Next cs 
    ' If this point is reached, return false to deny access.
    Return False

End Function

For another example, see How to: Create a Custom Authorization Manager for a Service.

Remarks

ServiceSecurityContext is generally the result from the default policy evaluation.

Override this method to provide custom authorization decisions.

This method can be used to make authorization decisions based on claim sets that are inferred based on incoming tokens, or added through external authorization policies. It can also make authorization decisions based on properties of the incoming message: for example, the action header.

In this method, the application can use the operationContext parameter to access the caller identity (ServiceSecurityContext). By returning the RequestContext object from the RequestContext property, the application can access the entire request message (RequestMessage). By returning the MessageHeaders object from the IncomingMessageHeaders property, the application can access the service URL (To) and the operation (Action). With this information, the application can perform the authorization decision accordingly.

The claims made by a user are found in the ClaimSet returned by the ClaimSets property of the AuthorizationContext. The current AuthorizationContext is returned by the ServiceSecurityContext property of the OperationContext class.

Applies to