ClaimsAuthorizationManager.LoadCustomConfiguration(XmlNodeList) Method

Reference

Definition

Namespace:: System.Security.Claims

Assembly:: System.IdentityModel.dll

Important

Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

When overridden in a derived class, loads custom configuration from XML.

public:
 virtual void LoadCustomConfiguration(System::Xml::XmlNodeList ^ nodelist);

public virtual void LoadCustomConfiguration (System.Xml.XmlNodeList nodelist);

abstract member LoadCustomConfiguration : System.Xml.XmlNodeList -> unit
override this.LoadCustomConfiguration : System.Xml.XmlNodeList -> unit

Public Overridable Sub LoadCustomConfiguration (nodelist As XmlNodeList)

Parameters

nodelist: XmlNodeList

The custom configuration elements. Each node in the list is of type XmlElement.

Implements

LoadCustomConfiguration(XmlNodeList)

Examples

The code examples that are used in the ClaimsAuthorizationManager topics are taken from the Claims Based Authorization sample. This sample provides a custom claims authorization manager that can authorize subjects based on a policy that is specified in configuration. The custom claims authorization manager consists of three basic components: a class derived from ClaimsAuthorizationManager that implements the manager, the ResourceAction class that pairs a resource and an action, and a policy reader that reads and compiles policy that is specified in the configuration file. This compiled policy can then be used by the claims authorization manager to evaluate a principal in order to authorize access to resources. Not all elements are shown for the sake of brevity. For information about this sample and other samples available for WIF and about where to download them, see WIF Code Sample Index.

The following code shows the override of the LoadCustomConfiguration method. This method uses a helper policy reader class (not shown) to read and compile authorization policies specified in the configuration file. Policies are added to a dictionary and are accessed by a ResourceAction key object that is created from the resource and action for which they are intended.

static Dictionary<ResourceAction, Func<ClaimsPrincipal, bool>> _policies = new Dictionary<ResourceAction, Func<ClaimsPrincipal, bool>>();
PolicyReader _policyReader = new PolicyReader();

/// <summary>
/// Overloads  the base class method to load the custom policies from the config file
/// </summary>
/// <param name="nodelist">XmlNodeList containing the policy information read from the config file</param>
public override void LoadCustomConfiguration(XmlNodeList nodelist)
{
    Expression<Func<ClaimsPrincipal, bool>> policyExpression;

    foreach (XmlNode node in nodelist)
    {
        //
        // Initialize the policy cache
        //
        XmlDictionaryReader rdr = XmlDictionaryReader.CreateDictionaryReader(new XmlTextReader(new StringReader(node.OuterXml)));
        rdr.MoveToContent();

        string resource = rdr.GetAttribute("resource");
        string action = rdr.GetAttribute("action");

        policyExpression = _policyReader.ReadPolicy(rdr);

        //
        // Compile the policy expression into a function
        //
        Func<ClaimsPrincipal, bool> policy = policyExpression.Compile();

        //
        // Insert the policy function into the policy cache
        //
        _policies[new ResourceAction(resource, action)] = policy;
    }
}

The following code shows the ResourceAction class used by the custom claims manager.

using System;

namespace ClaimsAuthorizationLibrary
{
    /// <summary>
    /// Class to encapsulate resource/action pair
    /// </summary>
    public class ResourceAction
    {
        public string Resource;
        public string Action;

        /// <summary>
        /// Checks if the current instance is equal to the given object by comparing the resource and action values
        /// </summary>
        /// <param name="obj">object to compare to</param>
        /// <returns>True if equal, else false.</returns>
        public override bool Equals(object obj)
        {
            ResourceAction ra = obj as ResourceAction;
            if (ra != null)
            {
                return ((string.Compare(ra.Resource, Resource, true) == 0) && (string.Compare(ra.Action, Action, true) == 0));
            }

            return base.Equals(obj);
        }

        /// <summary>
        /// Gets the hash code.
        /// </summary>
        /// <returns>The hash code.</returns>
        public override int GetHashCode()
        {
            return (Resource + Action).ToLower().GetHashCode();
        }

        /// <summary>
        /// Creates an instance of ResourceAction class.
        /// </summary>
        /// <param name="resource">The resource name.</param>
        /// <param name="action">The action.</param>
        /// <exception cref="ArgumentNullException">when <paramref name="resource"/> is null</exception>
        public ResourceAction(string resource, string action)
        {
            if (string.IsNullOrEmpty(resource))
            {
                throw new ArgumentNullException("resource");
            }

            Resource = resource;
            Action = action;
        }
    }
}

The policy used by the claims authorization manager is specified by custom <policy> elements under the <claimsAuthorizationManager> element. This policy is read and compiled by the LoadCustomConfiguration method. In the first policy, the principal must possess one of the specified claims in order to perform the specified action on the specified resource. In the second policy, the principal must possess both claims to be able to perform the specified action on the specified resource. In all others, the principal is automatically granted access regardless of the claims it possesses.

<system.identityModel>
  <identityConfiguration>
    <claimsAuthorizationManager type="ClaimsAuthorizationLibrary.MyClaimsAuthorizationManager, ClaimsAuthorizationLibrary">
      <policy resource="http://localhost:28491/Developers.aspx" action="GET">
        <or>
          <claim claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" claimValue="developer" />
          <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
        </or>
      </policy>
      <policy resource="http://localhost:28491/Administrators.aspx" action="GET">
        <and>
          <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
          <claim claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" claimValue="USA" />
        </and>
      </policy>
      <policy resource="http://localhost:28491/Default.aspx" action="GET">
      </policy>
      <policy resource="http://localhost:28491/" action="GET">
      </policy>
      <policy resource="http://localhost:28491/Claims.aspx" action="GET">
      </policy>
    </claimsAuthorizationManager>

    ...

  </identityConfiguration>
</system.identityModel>

Remarks

The LoadCustomConfiguration method is called by the configuration infrastructure. When this method is called, the nodelist will contain the top-level child elements of the <claimsAuthorizationManager> element from the configuration file. Each of these elements may, in turn, contain attributes or child elements depending on the configuration schema you define for your derived class. If no child elements appear under the <claimsAuthorizationManager> element in the configuration file, this method is not called.

The default implementation throws a NotImplementedException. Override this method in your derived class to enable initialization of your claims authorization manager from a configuration file. Typically, the configuration elements are used to express an authorization policy; however, you can define elements and use them in any way that makes sense based on the requirements of your application.

Applies to