I just started a new job and was assigned as a first task to improve an existing app. This app is a simple profile manager with profile creation, edition.... and uses claims-based authorization to determine if the current user is able to, say, create a new profile.
As I was not familiar with this kind of authorization system, I read a lot about it, updated the app's security claims, which now work fine.
However, something bothers me a lot. As far as I understand, checking the possibility of an action has two outcomes:
- You are allowed to do it (ie the custom claims manager implemented returns
true
), nothing happens, cool.
- You are not allowed to do it (authorization manager returned
false
). An exception is thrown, caught in my client, which then turns the canCreateProfile
variable to false.
A standard example would be this:
try
{
ClaimsPrincipalPermission.CheckAccess(Resource.Profile.ToString(), ResourceAction.Create.ToString());
}
catch
{
return false;
}
Well... I find it rather disturbing.
A typical usage example: if I am a readonly user, three exceptions would be fired every time I select a new profile. Not slow, but somehow disturbing
Is claims-based authorization actually relying on exceptions only, or is there a way to just work directly with the booleans?
A first chance exception of type 'System.Security.SecurityException' occurred in Microsoft.IdentityModel.dll
gives me the creeps anyway!
Thank you!