Using Zermatt’s claims model on WCF: ClaimsPrincipal.Current

In the last post, I briefly presented Zermatt’s claims model. This model can be used in both WCF based services or ASP.NET based web applications.

Beginning with this post, I will describe how this new claims model is integrated into WCF, using WCF’s extensibility points, and also what are some consequences of this integration.

Once again, keep in mind that these are empirical observations of the first beta release.

One way of using Zermatt’s claims model on a service, without needing to change WCF’s default behavior, is via the ClaimsPrincipal.Current static property. In WCF, the getter method will first check if the incoming message properties (available in the current operation context) contains a property whose name is typeof(IClaimsIdentity).FullName. If not, the getter method will create and return a ClaimsPrincipal instance based on the following procedure:

 

ClaimsPrincipal.Current

  1. Retrieves all the IAuthorizationPolicy objects from the current operation context.
  2. Creates a default AuthorizationContext with the claim sets produced by the evaluation of the above IAuthorizationPolicy set.
  3. Creates one ClaimsIdentity instance for each ClaimSet in the above AuthorizationContext. This ClaimsIdentity instance will contain one claim for each claim in the claim set whose with right equals Rights.PossessProperty (this means that claims with right = Rights.Identity will not be reflected in Zermatt’s claims model).
  4. Creates one ClaimsPrincipal referring the above ClaimsIdentity collection.

 

Before returning, the property’s getter method also adds the created ClaimsPrincipal instance to the incoming message properties, so that subsequent calls will simply return this ClaimsPrincipal cached instance.

In other words, the IClaimsPrincipal returned by ClaimsPrincipal.Current represents a view, using the “new” Zermatt’s claims model, of the “old” (System.IdentityModel) claims model.

Note however that this IClaimsPrincipal must be explicitly requested and is not referenced by Thread.CurrentPrincipal neither by ServiceSecurityContext.PrimaryIdentity.

 

Comments?

One thought on “Using Zermatt’s claims model on WCF: ClaimsPrincipal.Current

  1. Pingback: Identity’s new Identity - Part 4, The Links (or, Identity for .NET Hyperlink Acupuncture) | The Freak Parade

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s