Claims-based authorization, can I avoid exceptions?

Question

I just started a new job and was assigned as a first task to improve an existing app. This app is a simple profile manager with profile creation, edition.... and uses claims-based authorization to determine if the current user is able to, say, create a new profile.

As I was not familiar with this kind of authorization system, I read a lot about it, updated the app's security claims, which now work fine.

However, something bothers me a lot. As far as I understand, checking the possibility of an action has two outcomes:

1. You are allowed to do it (ie the custom claims manager implemented returns true), nothing happens, cool.
2. You are not allowed to do it (authorization manager returned false ). An exception is thrown, caught in my client, which then turns the canCreateProfile variable to false.

A standard example would be this:

try
{
    ClaimsPrincipalPermission.CheckAccess(Resource.Profile.ToString(), ResourceAction.Create.ToString());
}
catch
{
    return false;
}

Well... I find it rather disturbing. A typical usage example: if I am a readonly user, three exceptions would be fired every time I select a new profile. Not slow, but somehow disturbing

Is claims-based authorization actually relying on exceptions only, or is there a way to just work directly with the booleans?

A first chance exception of type 'System.Security.SecurityException' occurred in Microsoft.IdentityModel.dll gives me the creeps anyway!

Thank you!

Answer 1

Sure - there is nothing stopping you from constructing the AuthorizationContext yourself (setting resource, action and principal) and calling the AuthorizationManager manually. You can reach into it via the FederatedAuthentication class.

This is an example for MVC/Web API http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/

Updated to v5/v2 https://github.com/thinktecture/Thinktecture.IdentityModel/blob/master/source/Thinktecture.IdentityModel.WebApi/ResourceActionAuthorizeAttribute.cs

and this is the base plumbing: https://github.com/thinktecture/Thinktecture.IdentityModel/blob/master/source/Thinktecture.IdentityModel.Core/ClaimsAuthorization.cs