Wednesday, 27 June 2012

Claims based Security .NET 4.5

In .NET 4.5 Microsoft have moved Claims based security into MSCorLib a central part of the .NET framework.

This move away from explicit Role based security to a Claims based model promotes a finer grain approach and a decoupling of the security rules from the application into a third party service.

Old Style Permissions

Attribute Based

[PrincipalPermission(SecurityAction.Demand, Role = "Development")]
private void DoDeveloperWork()
{
    Console.WriteLine("You are a developer");
}

Inline Security

try
{
    new PrincipalPermission(null, "Development").Demand();
    Console.WriteLine("You are a developer");
}
catch (Exception e)
{
    Console.WriteLine(e.Message);                
}

Claims Based Permissions

using System;
using System.IdentityModel.Services;
using System.Security;
using System.Security.Claims;
using System.Security.Permissions;
using System.Threading;

namespace ClaimsBasedSecurityDemo
{
    class CustomAuthorisationManagerExample
    {
        public void Execute()
        {
            PrintHeader();
            Setup();

            try
            {
                TestPermissionsSuccess();
                TestPermissionsFail();
            }
            catch (SecurityException e)
            {
                Console.WriteLine(": " + e.Message);
            }
        }

        [ClaimsPrincipalPermission(SecurityAction.Demand, 
                                    Operation = "Add", 
                                    Resource = "Customer")]
        private void TestPermissionsSuccess()
        {
            Console.WriteLine("Code successfully runs!");
        }

        [ClaimsPrincipalPermission(SecurityAction.Demand,
                                    Operation = "Delete",
                                    Resource = "Customer")]
        private void TestPermissionsFail()
        {
            Console.WriteLine("We do not get here...");
        }


        private void Setup()
        {
            var myClaim = new Claim("http://myclaims/customer", "add");
            var currentIdentity = new CorpIdentity("stevenh", myClaim);
            var principal = new ClaimsPrincipal(currentIdentity);
            Thread.CurrentPrincipal = principal;
        }

        private void PrintHeader()
        {
            Console.WriteLine("Custom Authorisation Manager Examples");
            Console.WriteLine("_____________________________________");
            Console.WriteLine();
        }
    }
}

Custom ClaimsAuthorizationManager

using System.Security.Claims;
using System.Linq;

namespace ClaimsBasedSecurityDemo
{
    class AuthorisationManager : ClaimsAuthorizationManager
    {
        public override bool CheckAccess(AuthorizationContext context)
        {
            var resource = context.Resource.First().Value;
            var action = context.Action.First().Value;

            // hardcoded rules could be replaced by injection or load from xml
            if (resource == "Customer" && action == "Add")
            {
                var hasAccess = context.Principal.HasClaim("http://myclaims/customer", "add");
                return hasAccess;
            }

            return false;
        }
    }
}

app.config

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <configSections>
<section name="system.identityModel" 
         type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
  </configSections>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
  </startup>
  <system.identityModel>
    <identityConfiguration>
      <claimsAuthorizationManager type="ClaimsBasedSecurityDemo.AuthorisationManager, ClaimsBasedSecurityDemo" />
    </identityConfiguration>
  </system.identityModel>
</configuration>

The source code below gives examples of .NET security in various forms.

Source

https://github.com/stevenh77/ClaimsBasedSecurityDemo

Insights of a Full Stack dev