I have installed the Thinktecture.IdentityModel.Core package.
Suppose I've registered my custom implementation of AuthorizationManager
in web.config file.
public class AuthorizationManager : ClaimsAuthorizationManager {
public override Boolean CheckAccess(AuthorizationContext context) {
// authorization implementation
}
}
There are a permissions defined in the application db for user roles. So that User
might have Read
permission for Blogs
and Arts
resources if it is in a BasicUser
role.
The workflow as I see it:
ClaimsAuthorizationAttribute
makes a call to the ClaimsAuthorizationManager
ClaimsAuthorizationManager
internally checks the authentication cookie with claims from the step 2Am I right?
Or am I supposed to do a database permission lookup inside the CheckAccess
method? Will this work on a per-request basis?
Howcome I transform/attach the db-fecthed set of action-resources into identity claims?
Inside the checkaccess method you are not supposed to lookup database. You are supposed to check whether claims Inside AuthorizationContext allows the user to access action/ressources. Claims are supposed to be filled during Authentication.
At login, you can fetch roles from you database and add them to the claims then the claims can be stored in the cookie or in session to avoid fetching them on each request. Cookie or Session storage of claims is handled natively (and securely) using the right configuration.