ClaimsPrincipalPermission 类


表示使用 ClaimsAuthorizationManager 实施的权限,以确定对资源的访问是否应授予活动原则。Represents a permission that uses a ClaimsAuthorizationManager implementation to determine if access to a resource should be granted to the active principal. 此类不能被继承。This class cannot be inherited.

public ref class ClaimsPrincipalPermission sealed : System::Security::IPermission, System::Security::Permissions::IUnrestrictedPermission
public sealed class ClaimsPrincipalPermission : System.Security.IPermission, System.Security.Permissions.IUnrestrictedPermission
type ClaimsPrincipalPermission = class
    interface IPermission
    interface ISecurityEncodable
    interface IUnrestrictedPermission
Public NotInheritable Class ClaimsPrincipalPermission
Implements IPermission, IUnrestrictedPermission


下面的示例演示如何使用 Demand 方法、 CheckAccess 方法或声明保护资源 ClaimsPrincipalPermissionAttributeThe following example shows how to protect a resource by using the Demand method, the CheckAccess method, or a ClaimsPrincipalPermissionAttribute declaration. 在每种情况下,将调用配置的 ClaimsAuthorizationManager 来针对指定的资源和操作评估当前主体。In each case, the configured ClaimsAuthorizationManager is invoked to evaluate the current principal against the specified resource and action. 如果未对指定资源的指定操作授权当前主体,则 SecurityException 将引发; 否则,执行将继续。If the current principal is not authorized for the specified action on the specified resource, a SecurityException is thrown; otherwise, execution proceeds.

using System;
using System.Security.Permissions;
using System.Security.Principal;
using System.Threading;
using System.Security.Claims;
using System.IdentityModel.Services;

namespace ClaimsBasedAuthorization
    /// <summary>
    /// Program illustrates using Claims-based authorization
    /// </summary>
    class Program
        static void Main(string[] args)
            // Method 1. Simple access check using static method. 
            // Expect this to be most common method.
            ClaimsPrincipalPermission.CheckAccess("resource", "action");

            // Method 2. Programmatic check using the permission class
            // Follows model found at
            ClaimsPrincipalPermission cpp = new ClaimsPrincipalPermission("resource", "action");

            // Method 3. Access check interacting directly with the authorization manager.
            ClaimsAuthorizationManager am = new ClaimsAuthorizationManager();
            am.CheckAccess(new AuthorizationContext((ClaimsPrincipal)Thread.CurrentPrincipal, "resource", "action"));

            // Method 4. Call a method that is protected using the permission attribute class

            Console.WriteLine("Press [Enter] to continue.");

        // Declarative access check using the permission class. The caller must satisfy both demands.
        [ClaimsPrincipalPermission(SecurityAction.Demand, Resource = "resource", Operation = "action")]
        [ClaimsPrincipalPermission(SecurityAction.Demand, Resource = "resource1", Operation = "action1")]
        static void ProtectedMethod()

下面的 XML 演示将自定义声明授权管理器与类结合使用所需的最低配置 ClaimsPrincipalPermissionThe following XML shows the minimum configuration required to use a custom claims authorization manager with the ClaimsPrincipalPermission class. 至少必须在 system.identityModel 元素中同时声明和 部分, <configSection> 然后在默认标识配置下的 < claimsAuthorizationManager > 元素中指定授权管理器。You must, at a minimum, declare both the system.identityModel and the sections in the <configSection> element and then specify your authorization manager in a <claimsAuthorizationManager> element under the default identity configuration. 这将确保从默认的联合身份验证配置引用授权管理器。This will ensure that your authorization manager is referenced from the default federation configuration. 或者,你可以指定在 identityConfigurationName < federationConfiguration > 元素的属性中指定了授权管理器的标识配置的名称。Alternatively, you can specify the name of the identity configuration under which your authorization manager is specified in the identityConfigurationName attribute of the <federationConfiguration> element.

<?xml version="1.0" encoding="utf-8" ?>  
    <!-- WIF configuration sections -->  
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>  
    <section name="" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>  

    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />  

      <claimsAuthorizationManager type ="MyClaimsAuthorizationManager.MyClaimsAuthorizationManager, MyClaimsAuthorizationManager"/>  



ClaimsPrincipalPermission类提供通过使用 ClaimsAuthorizationManager 为应用程序配置的来执行命令性访问检查的功能。The ClaimsPrincipalPermission class provides the capability to perform imperative access checks by using the ClaimsAuthorizationManager that is configured for an application. 通过调用 Demand 方法或静态 CheckAccess 方法,你可以根据为声明身份验证管理器定义的授权策略,对代码的执行路径中的资源提供保护。By invoking the Demand method or the static CheckAccess method, you can provide protection to resources from within the execution path of your code according to the authorization policy defined for your claims authentication manager. 声明性访问检查可以通过使用类来执行 ClaimsPrincipalPermissionAttributeDeclarative access checks can be performed by using the ClaimsPrincipalPermissionAttribute class.


ClaimsPrincipalPermission类使用配置的声明授权管理器,该管理器由在 IdentityConfiguration 属性下设置的进行 FederatedAuthentication.FederationConfigurationThe ClaimsPrincipalPermission class uses the claims authorization manager configured by the IdentityConfiguration that is set under the FederatedAuthentication.FederationConfiguration property. 即使在不使用 WS-Federation 的情况下,也是如此:例如,active (WCF) Web 应用程序和控制台应用程序。This is true in all cases, even in scenarios where WS-Federation is not used; for example, active (WCF) Web applications and Console applications. 可以在配置中或以编程方式指定声明授权管理器。You can specify the claims authorization manager either in configuration or programmatically. 若要在配置文件中指定声明授权管理器,请在 < identityConfiguration > 元素下设置 < > claimsAuthorizationManager元素,并确保此标识配置由运行时加载的 < federationConfiguration > 元素引用 (例如,通过将 identityConfigurationName 属性设置) 。To specify the claims authorization manager in a configuration file, set the <claimsAuthorizationManager> element under an <identityConfiguration> element and ensure that this identity configuration is referenced by the <federationConfiguration> element that is loaded by the runtime (for example, by setting the identityConfigurationName attribute). 若要以编程方式设置声明授权管理器,请为事件提供处理程序 FederatedAuthentication.FederationConfigurationCreatedTo set the claims authorization manager programmatically, provide a handler for the FederatedAuthentication.FederationConfigurationCreated event.

在一个级别上,提供的功能 ClaimsPrincipalPermission 类似于基于角色的访问检查 (RBAC) 通过 PrincipalPermission 类提供; 但是, ClaimsAuthorizationManager 类会基于活动主体提供的声明执行检查。On one level, the functionality provided by ClaimsPrincipalPermission is similar to the role-based access checks (RBAC) provided through the PrincipalPermission class; however, the ClaimsAuthorizationManager class performs checks based on the claims presented by the active principal. 这比通过纯 RBAC 提供的粒度要多得多,在这种情况下,通常会在单个角色下收集许多权限。This enables far more granularity than is available through pure RBAC, where many permissions are typically collected under a single role. 更重要的是,更重要的是,基于声明的授权可以更好地分离业务逻辑和授权策略,因为可以对代码中的资源执行特定操作的权限,并且可以使用后端策略来配置呈现实体为满足需求而必须拥有的声明。Perhaps, more importantly, claims-based authorization enables better separation of business logic and authorization policy because permission can be demanded for a specific action on a resource in code and back-end policy can be used to configure which claims the presenting entity must possess in order to satisfy the demand. 与 RBAC 类似, ClaimsPrincipalPermission 执行基于用户的访问检查,即,与从类派生的类实现的代码访问安全性不同, CodeAccessPermission 并使用堆栈审核来确保已向代码的所有调用方授予权限, ClaimsPrincipalPermission 仅对当前主体执行检查。Like RBAC, ClaimsPrincipalPermission performs a user-based access check, that is, unlike code access security implemented by classes that derive from the CodeAccessPermission class and use a stack walk to ensure that all callers of the code have been granted a permission, ClaimsPrincipalPermission performs its check only on the current principal.

静态 CheckAccess 方法检查针对指定资源的指定操作的访问权限。The static CheckAccess method checks access for a specified action on a specified resource. 资源和操作都是字符串,并且通常为 Uri。The resource and action are both strings and are typically URIs. 你还可以 ClaimsPrincipalPermission 使用操作和资源初始化实例,并调用 Demand 方法。You can also initialize an instance of ClaimsPrincipalPermission with an action and a resource and call the Demand method. 尽管构造函数只使用单个资源和操作,但 ClaimsPrincipalPermission 可以通过和方法合并对象 Union IntersectAlthough the constructor only takes a single resource and action, ClaimsPrincipalPermission objects can be combined through the Union and Intersect methods. 使用这些方法创建的权限可能包含多个资源操作对。A permission created by using these methods may contain multiple resource-action pairs.

这两种方法都可通过调用 ClaimsAuthorizationManager.CheckAccess 已配置的声明授权管理器的方法来确定访问权限,其中包括 AuthorizationContext 活动主体 (Thread.CurrentPrincipal) 、资源和操作。Both methods determine access by invoking the ClaimsAuthorizationManager.CheckAccess method of the configured claims authorization manager with an AuthorizationContext composed of the active principal (Thread.CurrentPrincipal), the resource, and the action. SecurityException如果当前主体无权对资源执行操作,则它们会引发; 否则,执行将继续。They throw a SecurityException if the current principal is not authorized to perform the action on the resource; otherwise, execution proceeds.

对于 ClaimsPrincipalPermission 包含多个资源操作对的,将 ClaimsAuthorizationManager.CheckAccess 为权限中包含的每个资源操作对调用方法。In the case of a ClaimsPrincipalPermission that contains multiple resource-action pairs, the ClaimsAuthorizationManager.CheckAccess method is invoked for each of the resource-action pairs contained in the permission. 要使对的调用 Demand 成功,必须针对权限中包含的所有资源操作对对活动主体进行授权。For the call to Demand to succeed, the active principal must be authorized for all of the resource-action pairs contained in the permission.


ClaimsPrincipalPermission(String, String)

创建 ClaimsPrincipalPermission 类的新实例。Creates a new instance of the ClaimsPrincipalPermission class.


CheckAccess(String, String)

检查是否授权当前主体在指定资源上执行指定操作。Checks if the current principal is authorized to perform the specified action on the specified resource.


返回当前 ClaimsPrincipalPermission 实例的副本。Returns a copy of the current ClaimsPrincipalPermission instance.


检查当前主体是否获得与当前实例关联的资源操作对的授权。Checks if the current principal is authorized for the resource-action pairs associated with the current instance.


确定指定对象是否等于当前对象。Determines whether the specified object is equal to the current object.

(继承自 Object)

通过指定的 XML 内码重新构建当前权限及其状态。Reconstructs the current permission and its state from the specified XML encoding.


作为默认哈希函数。Serves as the default hash function.

(继承自 Object)

获取当前实例的 TypeGets the Type of the current instance.

(继承自 Object)

返回一个权限,该权限是当前权限与指定权限的交集。Returns a permission that is the intersection of the current permission and the specified permission.


返回一个值,该值指示当前权限是否为指定权限的一个子集。Returns a value that indicates whether current permission is a subset of the specified permission.


返回一个值,指示权限是否不受限。Returns a value that indicates whether the permission is unrestricted.


创建当前 Object 的浅表副本。Creates a shallow copy of the current Object.

(继承自 Object)

返回表示当前对象的字符串。Returns a string that represents the current object.

(继承自 Object)

返回当前权限及其状态的 XML 编码形式。Returns the XML encoded form of the current permission and its state.


返回一个新权限,该权限是当前权限与指定权限的并集。Returns a new permission that is the union of the current permission and the specified permission. 具有当前实例和目标实例中存在的所有资源操作对的 ClaimsPrincipalPermission 对象。ClaimsPrincipalPermission object that has all of the resource-action pairs that are present in the current instance and the target instance.