ASP.NET Web Application Authorization using ADFS Claims

StackOverflow https://stackoverflow.com/questions/20149934

Question

I have put together a dynamic data web application using ASP.NET. I have also put together some classes for an AuthorizationManager. The one thing I'm unsure of is how to plug this into the web app to make it so only users in a specific role based on claims from ADFS can have access to the application. For the purpose of security, I have abstracted small bits of code. Here are the files I have so far:

AuthorizationHelper:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Security;
using System.Web;

namespace ApplicationManager.Authorization
{
public class AuthorizationHelper
{
    /// <summary>
    /// Checks the access.
    /// </summary>
    /// <param name="resource">The resource.</param>
    /// <param name="action">The action.</param>
    /// <returns></returns>
    public static bool CheckAccess(string resource, string action)
    {
        AuthorizationContext context = new AuthorizationContext(HttpContext.Current.User as IClaimsPrincipal, resource, action);
        return FederatedAuthentication.ServiceConfiguration.ClaimsAuthorizationManager.CheckAccess(context);
    }

    /// <summary>
    /// Checks the access for an action based on user context.
    /// </summary>
    /// <param name="resource">The resource.</param>
    /// <param name="action">The action.</param>
    /// <param name="user">The user.</param>
    /// <returns></returns>
    public static bool CheckAccess(string resource, string action, UserInfo user)
    {
        AuthorizationContext context = new AuthorizationContext(HttpContext.Current.User as IClaimsPrincipal, resource, action);
        AuthorizationManager authManager = (AuthorizationManager)FederatedAuthentication.ServiceConfiguration.ClaimsAuthorizationManager;

        return authManager.CheckAccess(context, user);
    }

    /// <summary>
    /// Confirmes the logged in user has access to perform the specified action on the user.
    /// </summary>
    /// <param name="resource">The resource.</param>
    /// <param name="action">The action.</param>
    /// <param name="user">The user.</param>
    /// <exception cref="System.Security.SecurityException"></exception>
    public static void ConfirmAccess(string resource, string action, UserInfo user)
    {
        if (!CheckAccess(resource, action, user))
        {
            throw new SecurityException(string.Format("{0} does not have rights to manage {1}.  Please contact the idm security administrator.", HttpContext.Current.User.Identity.Name, user.UserId));
        }
    }
}
}

AuthorizationManager:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using Microsoft.IdentityModel.Claims;
using ApplicationManager.Models;

namespace ApplicationManager.Authorization
{
public class AuthorizationManager : ClaimsAuthorizationManager
{

    private const string HelpDeskRole = @"****_Helpdesk";
    private const string UsersRole = @"****_ADMIN_USERS";
    private const string SupportRole = @"****_Admin_Support";
    private const string SuperUsersRole = @"****_ADMIN_SUPERUSERS";
    private const string ReportingRole = @"****_ADMIN__Reporting";
    private const string AdminRole = @"****_Admin_Administrator";
    private const string PersonalUserManagmentRole = @"****_PERSONAL_USER_MANAGEMENT";
    private const string ProfessionalUserManagmentRole = @"****_PROF_USER_MANAGEMENT";

    private static readonly string[] AllRoles = new string[] { HelpDeskRole, UsersRole, SupportRole, SuperUsersRole, ReportingRole, AdminRole };
    private static readonly string[] CustomRoles = new string[] { SuperUsersRole, AdminRole };

    public bool CheckAccess(AuthorizationContext context, UserInfo user)
    {
        if (!context.Principal.Identity.IsAuthenticated)
        {
            return false;
        }
        string resource = context.Resource.First().Value;
        string action = null;
        if (context.Action.Count > 0)
        {
            action = context.Action.First().Value;
        }
        switch (resource)
        { 
            case Resources.ApplicationManager:
                return IsAuthorizedForApplications(context.Principal, action);
        }
        return false;
    }

    private bool IsAuthorizedForApplications(IClaimsPrincipal claimsPrincipal, string action)
    {
        switch (action)
        { 
            case Operations.ApplicationManager:
                return IsInAnyRole(claimsPrincipal, CustomRoles);
        }
        return false;
    }

    public bool IsInAnyRole(IClaimsPrincipal principal, string[] roles)
    {
        foreach (string role in roles)
        {
            if (principal.IsInRole(role))
            {
                return true;
            }
        }
        return false;
    }
}
}

Operations:

namespace ApplicationManager.Authorization
{
public class Operations
{
    public const string ApplicationManager = "Applications";
}
}

Resources:

namespace ApplicationManager.Authorization
{
public class Resources
{
    public const string ApplicationManager = "Applications";
}
}

I would like to plug this all in and deny use of the application based on the role the user is in. I do have models in place that get the userid and userrole. I need to know where and how to code this to block access to the complete application based on the users role.

Was it helpful?

Solution

You need to register your claims authentication manager in the pipeline. It fires upon every request:

http://www.brainthud.com/cards/5218/5016/explain-the-usage-of-the-claimsauthorizationmanager-class/

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top