Wednesday 27 June 2012

Claims based Security .NET 4.5

In .NET 4.5 Microsoft have moved Claims based security into MSCorLib a central part of the .NET framework.

This move away from explicit Role based security to a Claims based model promotes a finer grain approach and a decoupling of the security rules from the application into a third party service.

Old Style Permissions

Attribute Based

[PrincipalPermission(SecurityAction.Demand, Role = "Development")]
private void DoDeveloperWork()
{
Console.WriteLine("You are a developer");
}


Inline Security

try
{
new PrincipalPermission(null, "Development").Demand();
Console.WriteLine("You are a developer");
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}


Claims Based Permissions

using System;
using System.IdentityModel.Services;
using System.Security;
using System.Security.Claims;
using System.Security.Permissions;
using System.Threading;

namespace ClaimsBasedSecurityDemo
{
class CustomAuthorisationManagerExample
{
public void Execute()
{
PrintHeader();
Setup();

try
{
TestPermissionsSuccess();
TestPermissionsFail();
}
catch (SecurityException e)
{
Console.WriteLine(": " + e.Message);
}
}

[ClaimsPrincipalPermission(SecurityAction.Demand,
Operation = "Add",
Resource = "Customer")]
private void TestPermissionsSuccess()
{
Console.WriteLine("Code successfully runs!");
}

[ClaimsPrincipalPermission(SecurityAction.Demand,
Operation = "Delete",
Resource = "Customer")]
private void TestPermissionsFail()
{
Console.WriteLine("We do not get here...");
}


private void Setup()
{
var myClaim = new Claim("http://myclaims/customer", "add");
var currentIdentity = new CorpIdentity("stevenh", myClaim);
var principal = new ClaimsPrincipal(currentIdentity);
Thread.CurrentPrincipal = principal;
}

private void PrintHeader()
{
Console.WriteLine("Custom Authorisation Manager Examples");
Console.WriteLine("_____________________________________");
Console.WriteLine();
}
}
}

Custom ClaimsAuthorizationManager

using System.Security.Claims;
using System.Linq;

namespace ClaimsBasedSecurityDemo
{
class AuthorisationManager : ClaimsAuthorizationManager
{
public override bool CheckAccess(AuthorizationContext context)
{
var resource = context.Resource.First().Value;
var action = context.Action.First().Value;

// hardcoded rules could be replaced by injection or load from xml
if (resource == "Customer" && action == "Add")
{
var hasAccess = context.Principal.HasClaim("http://myclaims/customer", "add");
return hasAccess;
}

return false;
}
}
}


app.config

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<configSections>
<section name="system.identityModel"
type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</configSections>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
</startup>
<system.identityModel>
<identityConfiguration>
<claimsAuthorizationManager type="ClaimsBasedSecurityDemo.AuthorisationManager, ClaimsBasedSecurityDemo" />
</identityConfiguration>
</system.identityModel>
</configuration>

The source code below gives examples of .NET security in various forms.


image


Source


https://github.com/stevenh77/ClaimsBasedSecurityDemo

No comments:

Post a Comment