Compartir a través de


Implementing an Authorization Plug-in

The Windows Media Services authorization process is closely coupled to the authentication process. Before a client can be authorized to retrieve digital media, the identity of the client must be established by an authentication plug-in. The following steps describe how the server interacts with authorization and authentication plug-ins to authorize a client request. These steps are illustrated by the diagram that follows them:

  1. The server calls GetAuthorizedEvents on the IWMSEventAuthorizationPlugin interface to retrieve an array of events that the authorization plug-in can authorize.

  2. The server calls Authenticate on the IWMSAuthenticationContext interface of the first enabled anonymous authentication plug-in. Windows Media Services recognizes two basic authentication plug-in categories. Anonymous authentication plug-ins do not support a challenge and response dialogue between the server and the client. Typically, anonymous authentication plug-ins impersonate a guest account that has minimal privileges. For example, the default account for anonymous access to Windows Media Services is the Windows Media Services Guest Account. Non-anonymous authentication plug-ins such as the WMS Negotiate Authentication plug-in validate users based on logon credentials or, if the logon credentials fail, a challenge and response dialogue. If more than one anonymous authentication plug-in is enabled, the server uses only the one that was enabled first. You can use the SelectionOrder property on the IWMSPlugin interface to modify the plug-in order.

  3. If the client is authenticated, the server calls AuthorizeEvent on the IWMSEventAuthorizationPlugin interface for all of the enabled authorization plug-ins. Each plug-in calls OnAuthorizeEvent on the IWMSEventAuthorizationCallback interface to indicate that it accepted or rejected the client request. If one of the plug-ins refuses to authorize the request, the server will not process it.

  4. If one of the plug-ins in step 3 refuses to authorize the client request or if the client cannot be authenticated by the anonymous authentication plug-in, the server calls Authenticate on the IWMSAuthenticationContext interface of the first enabled non-anonymous authentication plug-in. If the client is authenticated, the server again iterates through the enabled authorization plug-ins to determine whether the client request can be processed. See step 2. If the client cannot be authenticated, the server disconnects it.

See Also (General)

See Also (Visual Basic .NET)

See Also (C#)

See Also (C++)