Share via


An alternative to the WIF ClaimsPrincipal IsInRole implementation (free code)

So let me start with by saying that I love the Geneva Framework. Stuart Kwan and team have so far produced a most excellent product. In fact, we were so impressed with it we struck an agreement with the WIF team back in early 2008 to get access to the source tree so that we can produce some highly customized ports of the codebase for the Online Services Division here at the old 'Soft. It's been a great relationship so far.

That being said however, there are a few places in the code where I think their model and thinking is…creative, [coughs]. More specifically I want to talk about how they approached bridging claim assertions to roles. Personally, the whole RoleClaimeType property is odd and really is forcing token servers into producing tokens matching their pattern. Or worse by requiring the RPs to transform the received tokens into something resembling their implementation pattern as the Token Server service team probably is going to tell anyone asking for a token looking like that to get bent. Unfortunately they've been drinking the Mort cool-aid a little much as I've never seen real enterprise implementations producing linear security tokens in all the years I've been playing with WS-Trust. And trust me; this is coming from a guy that wrote a token server years ago for another fortune 100 company. J

So if you are feeling constrained by their approach or feel like the .Net CAS principal roles model is leaking into your token services then maybe this little bit of code will be to your liking. Basically it supports a simple string expression syntax to allow you to assert that the principal has particular concrete claims matching the provided rule. This includes performing the check ACROSS claim types and can optionally take the value into account.

So for instance you can do things like…

  • Find out if a principal contains any claim of a particular type regardless of value
    [PrincipalPermission(SecurityAction.Demand, "https://yourclaimtype"]
  • Find out if a principal contains any claim of a particular type with a particular value
    [PrincipalPermission(SecurityAction.Demand, "https://yourclaimtype[a claim value"]
  • Find out if a principal contains any claim of a particular type with NO value
    [PrincipalPermission(SecurityAction.Deny, "https://yourclaimtype[]"]

So go check out the code attached to the post and use as you need. Feel free to send in suggestions / patches.


Jimmy Zimms is very very very hungry

Code.zip