I was playing around with new stuff in 4.5 and wrote a simple console application that is supposed to check a few things in new claims based security model. I’ve created custom implementations of ClaimsAuthorizationManager and ClaimsAuthenticationManager, added them to application config file, set AppDomain principal policy to windows principal, and almost everyghing works well except AuthenticationManager.Authenticate method being called.
AuthorizationManager.CheckAccess is being called as expected.
I guess that this is right behaviour as when running console app the user is already authenticated and there is no need to do it on app startup. However I would like to transform some claims based on – let us say profile stored in database.
Of course I can do it manually and deal with the CurrentPrinciapal object on my own. However I was wondering if there is a way to force app to use AuthManager to do it for me.
Just being curious 🙂
So, here are two managers. They basically do nothing, exist just for setting break point 🙂
public class AuthorizationManager : ClaimsAuthorizationManager
{
public override bool CheckAccess(AuthorizationContext context)
{
return base.CheckAccess(context);
}
}
public class Authenticationmanager : ClaimsAuthenticationManager
{
public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
{
return base.Authenticate(resourceName, incomingPrincipal);
}
}
App.config looks like this:
<configuration>
<configSections>
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
</startup>
<system.identityModel>
<identityConfiguration>
<claimsAuthenticationManager type="ClaimsSandbox.Authenticationmanager, ClaimsSandbox"/>
<claimsAuthorizationManager type="ClaimsSandbox.AuthorizationManager, ClaimsSandbox"/>
</identityConfiguration>
</system.identityModel>
</configuration>
And the code that does nothing special:
class Program
{
static void Main(string[] args)
{
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
var principal = Thread.CurrentPrincipal;
DescribeMe(principal);
ClaimsPrincipalPermission.CheckAccess("foo ", "bar");
Console.ReadLine();
}
private static void DescribeMe(System.Security.Principal.IPrincipal principal)
{
Console.WriteLine(principal);
var claimsPrincipal = principal as ClaimsPrincipal;
claimsPrincipal.IsInRole("Foo");
Console.WriteLine(claimsPrincipal.Identity.IsAuthenticated);
}
}
In a console app, you would have to explicitly call Authenticate() like this. In .NET 4.5, you use IdentityConfiguration. In .NET 4.0, it would have been FederatedAuthentication.ServiceConfiguration.ClaimsAuthenticationManager.
Idea behind taking the pains of providing one’s own implementation of CAM is, you will want to add, modify of delete claims on the token from STS. You can have your own logic in adding stuff based on your database and all that here and enrich the principal that was created based on the claims from STS (incomingPrincipal).