Using ClaimsAuthenticationManager in a console application

StackOverflow https://stackoverflow.com/questions/12253828

Question

I was playing around with new stuff in 4.5 and wrote a simple console application that is supposed to check a few things in new claims based security model. I've created custom implementations of ClaimsAuthorizationManager and ClaimsAuthenticationManager, added them to application config file, set AppDomain principal policy to windows principal, and almost everyghing works well except AuthenticationManager.Authenticate method being called.

AuthorizationManager.CheckAccess is being called as expected.

I guess that this is right behaviour as when running console app the user is already authenticated and there is no need to do it on app startup. However I would like to transform some claims based on - let us say profile stored in database. Of course I can do it manually and deal with the CurrentPrinciapal object on my own. However I was wondering if there is a way to force app to use AuthManager to do it for me.

Just being curious :)

So, here are two managers. They basically do nothing, exist just for setting break point :)

  public class AuthorizationManager : ClaimsAuthorizationManager  
{
    public override bool CheckAccess(AuthorizationContext context)
    {
        return base.CheckAccess(context);
    }
}

 public class Authenticationmanager : ClaimsAuthenticationManager 
{
    public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
    {            
        return base.Authenticate(resourceName, incomingPrincipal);
    }
}

App.config looks like this:

    <configuration>
  <configSections>
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  </configSections>
    <startup> 
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
    </startup>
  <system.identityModel>
    <identityConfiguration>
      <claimsAuthenticationManager type="ClaimsSandbox.Authenticationmanager, ClaimsSandbox"/>
      <claimsAuthorizationManager type="ClaimsSandbox.AuthorizationManager, ClaimsSandbox"/>
    </identityConfiguration>    
  </system.identityModel>  
</configuration>

And the code that does nothing special:

 class Program
{
    static void Main(string[] args)
    {            
        AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);

        var principal = Thread.CurrentPrincipal;
        DescribeMe(principal);
        ClaimsPrincipalPermission.CheckAccess("foo ", "bar");
        Console.ReadLine();
    }

    private static void DescribeMe(System.Security.Principal.IPrincipal principal)
    {
        Console.WriteLine(principal);
        var claimsPrincipal = principal as ClaimsPrincipal;
        claimsPrincipal.IsInRole("Foo");
        Console.WriteLine(claimsPrincipal.Identity.IsAuthenticated);
    }
}
Was it helpful?

Solution

In a console app, you would have to explicitly call Authenticate() like this. In .NET 4.5, you use IdentityConfiguration. In .NET 4.0, it would have been FederatedAuthentication.ServiceConfiguration.ClaimsAuthenticationManager.

var cam = IdentityConfiguration.ClaimsAuthenticationManager;
Thread.CurrentPrincipal = cam.Authenticate
                                 ("http://badri/MyResource",
                                         incomingPrincipal);

Idea behind taking the pains of providing one's own implementation of CAM is, you will want to add, modify of delete claims on the token from STS. You can have your own logic in adding stuff based on your database and all that here and enrich the principal that was created based on the claims from STS (incomingPrincipal).

OTHER TIPS

ClaimsAuthenticationManager is part of WIF processing pipeline. You can derive from this class to provide claims transformation inside this pipeline. There is no need to explicitly call Authenticate method since it does nothing in it's base implementation.

To get this method called you have to integrate WIF with either WCF or ASP.NET application (can be MVC).

Quoting msdn:

WIF also provides developers with a consistent programming experience whether they choose to build their applications in ASP.NET or in WCF environments.

You can read more here.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top