In the last post, I described the purpose of the IAuthorizationPolicy interface and the related policy evaluation process. In this post I will briefly described the classes involved in this process and how it can be customized.
The ServiceHostBase class contains the Authorization property, of type ServiceAuthorizationBehavior. This is the place where most of the authorization related service configuration is done. One of these configuration items is the ServiceAuthorizationManager that is used by the WCF runtime when dispatching a received message.
Note that the class is not sealed and the methods are virtual, meaning that a custom authorization manager can be used by creating a class derived from ServiceAuthorizationManager and assigning a instance of it to the ServiceAuthorizationBehavior.
One way of understanding the semantics of these methods is by analyzing how they are called by the WCF runtime. It all starts with the call of the CheckAccess method, that does the following:
- Calls the GetAuthorizationPolicies method to retrieve the collection with all the IAuthorizationPolicy objects. The base implementation of this last method retrieves both the token policies and external policies from the OperationContext
- Then, it creates a new ServiceSecurityContext, using the retrieved set of authorization policies, and assigns it to the property operationContext.IncomingMessageProperties.Security.ServiceSecurityContext.
This ServiceSecurityContext has a property that returns a AuthorizationContext. Note that the AuthorizationContext is the container of all the claim sets (see this post for further information).
- Finally, it returns the result of calling CheckAccessCore (which returns true by default).
Several customizations to the authorization manager can be made:
- The simplest one is to override the CheckAccessCore method, inserting in it the authorization decision logic. Note that at this point, the resulting claim sets are already available and can be used by the authorization decision logic.
- Another type of customization is to override the GetAuthorizationPolicies method. This can be useful to change the authorization polices that are used, e. g. , retrieve policies from an external policy store. As another example, this customization point is also used by Zermatt’s ExtensibleServiceCredentials.ConfigureServiceHost method.
- Finally, the CheckAccess method can also be overridden, allowing for a complete change in the authorization process.
The next figure presents the majority of the classes involved in this process.