Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>My Google foo was indeed weak. The answer is right behind the link in my question. So here are a couple of links to <a href="http://leastprivilege.com/category/identitymodel/" rel="noreferrer">this blog</a> in case somebody has the same question eventually.</p> <p>First, you should try to understand "that claim set stuff":</p> <ul> <li><a href="http://leastprivilege.com/2008/02/19/using-identitymodel-claims/" rel="noreferrer">Claims</a></li> <li><a href="http://leastprivilege.com/2008/02/23/using-identitymodel-claim-sets/" rel="noreferrer">Claim Sets</a></li> <li><a href="http://leastprivilege.com/2008/02/23/using-identitymodel-inspecting-claim-sets/" rel="noreferrer">Inspecting Claim Sets</a></li> <li><a href="http://leastprivilege.com/2008/02/24/using-identitymodel-windows-and-x509certificate-claim-sets/" rel="noreferrer">Windows and X509Certificate Claim Sets</a></li> <li><a href="http://leastprivilege.com/2008/02/24/using-identitymodel-typical-operations-on-claim-sets/" rel="noreferrer">Typical Operations on Claim Sets</a></li> </ul> <p>Then, you need to know where claim sets come from:</p> <ul> <li><a href="http://leastprivilege.com/2008/02/29/using-identitymodel-authorization-policies-context-and-claims-transformation/" rel="noreferrer">Authorization Policies, Context and Claims Transformation</a></li> <li><a href="http://leastprivilege.com/2008/03/04/using-identitymodel-claims-transformation-in-wcf/" rel="noreferrer">Claims Transformation in WCF</a></li> <li><a href="http://leastprivilege.com/2008/03/04/using-identitymodel-authorization-context-and-claims-transformation-outside-of-wcf/" rel="noreferrer">Authorization Context and Claims Transformation outside of WCF</a></li> </ul> <p>Armed with this knowledge, it actually becomes quite simple.</p> <p>If I understand it correctly, the basic workflow would be something like this:</p> <ol> <li>Client creates a <code>SecurityToken</code> using a <code>SecurityTokenProvider</code></li> <li>Client serializes the <code>SecurityToken</code> using a <code>SecurityTokenSerializer</code></li> <li>Server deserializes the <code>SecurityToken</code> using a <code>SecurityTokenSerializer</code></li> <li>Server creates <code>IAuthorizationPolicy</code>s using a <code>SecurityTokenAuthenticator</code></li> <li>Server creates <code>AuthorizationContext</code> from <code>IAuthorizationPolicy</code>s</li> <li>Done</li> </ol> <p>Example:</p> <pre><code>// Create the SecurityTokenProvider var p = new UserNameSecurityTokenProvider("username", "password"); // Get the SecurityToken from the SecurityTokenProvider var t = p.GetToken(TimeSpan.FromSeconds(1.0)) as UserNameSecurityToken; // ... transmit SecurityToken to server ... // Create the SecurityTokenAuthenticator var a = new CustomUserNameSecurityTokenAuthenticator( UserNamePasswordValidator.None); // Create IAuthorizationPolicies from SecurityToken var i = a.ValidateToken(t); // Create AuthorizationContext from IAuthorizationPolicies var c = AuthorizationContext.CreateDefaultAuthorizationContext(i); ShowClaims(c.ClaimSets); </code></pre> <p>For <code>X509SecurityToken</code>s use a <code>X509SecurityTokenProvider</code>/<code>Authenticator</code>. For <code>WindowsSecurityToken</code>s there's a <code>WindowsSecurityTokenAuthenticator</code> but not a provider; instead, use the <code>WindowsSecurityToken</code> constructor:</p> <pre><code>var t = new WindowsSecurityToken(WindowsIdentity.GetCurrent()); </code></pre> <p>This works quite well. The only thing I omitted so far above is the token serialization. There is a <code>SecurityTokenSerializer</code> class which has one implementation in the .NET framework: the <code>WSSecurityTokenSerializer</code> class which comes with WCF.</p> <p>Serializing <code>UserNameSecurityToken</code>s and <code>X509SecurityToken</code>s works like a charm (haven't tried deserialization), but <code>WindowsSecurityToken</code>s are apparently not supported by the serializer. This leaves me with the two authentication methods that I already have (certificates and username/password) and, as I didn't want that <code>AuthorizationContext</code> anyway, I'll stick with what I have :)</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload