Ruurd Boeke

Hi,

I'm using wshttpbinding with message clientcredentialType of windows.

When I decorate my operation with:

[PrincipalPermission(SecurityAction.Demand, Role = @"domain\role")]

this works. (although changes in active directory are only picked up after a reboot of my machine ).

Now I'm building a more flexible system, which will look at the claims provided and will compare it to a claim of my own (like in com-430):

Claim requiredClaim = Claim.CreateRoleClaim("domain\role");

However, when using a comparer like this:

ClaimComparer comp = ClaimComparer.GetDefaultComparer( requiredClaim.ClaimType);

in an iteration of the claims, it will not be found. The claimset provided is mostly SID-claims. So it seems I have to work directly with a sid claim......

Is there some way around this

Kind regards,

Ruurd Boeke




Re: Windows Communication Foundation (Indigo) how to use Claim.CreateRoleClaim for a role with clientCredentialType=windows

Gudge

Hi,

Firstly, the CLR PrincipalPermission authorization mechanism and the claim based mechanism support via OperationRequirement are distinct.

Secondly, the claims served up by the Windows token will be mainly SID claims. We don't know what roles the user should be in (and we don't automatically translate group SIDs to Role claims, because it's expensive and we don't know whether a given service cares or not ). You could plug in an additional IAuthorizationPolicy implementation ( via the AuthorizationDomain property on the ServiceAuthorizationBehavior). This implementation would know how to map SID claims to Role claims and would add the appropriate Role claims to the authorzation context (via the provided EvaluationContext).

Does this help Feel free to fire more questions at me!

Cheers

Gudge





Re: Windows Communication Foundation (Indigo) how to use Claim.CreateRoleClaim for a role with clientCredentialType=windows

TheShark

yes, this helps ;-)

Thanks,

Ruurd






Re: Windows Communication Foundation (Indigo) how to use Claim.CreateRoleClaim for a role with clientCredentialType=windows

Yifat

Hi,

I'm tring to figure out how to implement he following scenario:

I need to pass the role definition from one service to another.

The caller service has the knowledge about each role's authorized actions, and this information should be passed to another WCF service, should I user a custom security taken or there is already a type that suits my need

Are you familiar with a suitable sample

Thank in advance,

Yifat

 






Re: Windows Communication Foundation (Indigo) how to use Claim.CreateRoleClaim for a role with clientCredentialType=windows