Windows Communication Foundation (WCF) supports a claims-based authorization mechanism. As well as allowing access to resources based on the presence of claims, systems often deny access to resources based on the presence of claims. Such systems should examine the AuthorizationContext for claims that result in access being denied before looking for claims that result in access being allowed.
For example, a system might deny access to a resource to anyone who has a claim with a type of
Age, a right of PossessProperty, and a resource value of
Under 21 only when that identity also has a claim of type
Name, a right of Identity, and a resource value of
Mallory. Put another way, the system denies access to anyone who is under 21 years old and grants access when the name is Mallory. To correctly implement this semantic, it is important to look for the
Age claim first and determine whether the age is under 21 years old. Otherwise, if Mallory is under 21, then the resource may be granted access solely on the basis of the