ServiceAuthorizationManager.CheckAccess Method

Definition

檢查指定作業內容和選擇性訊息的授權。Checks authorization for the given operation context and optional message.

Overloads

CheckAccess(OperationContext)

檢查指定作業內容的授權。Checks authorization for the given operation context.

CheckAccess(OperationContext, Message)

檢查在需要存取訊息時的作業內容授權。Checks authorization for the given operation context when access to a message is required.

CheckAccess(OperationContext)

檢查指定作業內容的授權。Checks authorization for the given operation context.

public:
 virtual bool CheckAccess(System::ServiceModel::OperationContext ^ operationContext);
public virtual bool CheckAccess (System.ServiceModel.OperationContext operationContext);
abstract member CheckAccess : System.ServiceModel.OperationContext -> bool
override this.CheckAccess : System.ServiceModel.OperationContext -> bool
Public Overridable Function CheckAccess (operationContext As OperationContext) As Boolean

Parameters

Returns

Boolean

如果授與存取權,則為 true,否則為 falsetrue if access is granted; otherwise, false. 預設值為 trueThe default is true.

Examples

下列程式碼將示範如何覆寫這個方法,以強制執行自訂存取控制需求。The following code shows how to override this method to enforce custom access control requirements.

public class myServiceAuthorizationManager : ServiceAuthorizationManager
{
    // Override the CheckAccess method to enforce access control requirements.
    public override bool CheckAccess(OperationContext operationContext)
    {
        AuthorizationContext authContext =
        operationContext.ServiceSecurityContext.AuthorizationContext;
        if (authContext.ClaimSets == null) return false;
        if (authContext.ClaimSets.Count != 1) return false;
        ClaimSet myClaimSet = authContext.ClaimSets[0];
        if (!IssuedBySTS_B(myClaimSet)) return false;
        if (myClaimSet.Count != 1) return false;
        Claim myClaim = myClaimSet[0];
        if (myClaim.ClaimType ==
          "http://www.tmpuri.org:accessAuthorized")
        {
            string resource = myClaim.Resource as string;
            if (resource == null) return false;
            if (resource != "true") return false;
            return true;
        }
        else
        {
            return false;
        }
    }

    // This helper method checks whether SAML Token was issued by STS-B.
    // It compares the Thumbprint Claim of the Issuer against the
    // Certificate of STS-B.
    private bool IssuedBySTS_B(ClaimSet myClaimSet)
    {
        ClaimSet issuerClaimSet = myClaimSet.Issuer;
        if (issuerClaimSet == null) return false;
        if (issuerClaimSet.Count != 1) return false;
        Claim issuerClaim = issuerClaimSet[0];
        if (issuerClaim.ClaimType != ClaimTypes.Thumbprint)
            return false;
        if (issuerClaim.Resource == null) return false;
        byte[] claimThumbprint = (byte[])issuerClaim.Resource;
        // It is assumed that stsB_Certificate is a variable of type
        // X509Certificate2 that is initialized with the Certificate of
        // STS-B.
        X509Certificate2 stsB_Certificate = GetStsBCertificate();
        byte[] certThumbprint = stsB_Certificate.GetCertHash();
        if (claimThumbprint.Length != certThumbprint.Length)
            return false;
        for (int i = 0; i < claimThumbprint.Length; i++)
        {
            if (claimThumbprint[i] != certThumbprint[i]) return false;
        }
        return true;
    }
Public Class myServiceAuthorizationManager
    Inherits ServiceAuthorizationManager

    ' Override the CheckAccess method to enforce access control requirements.
    Public Overloads Overrides Function CheckAccess(ByVal operationContext As OperationContext) As Boolean
        Dim authContext = operationContext.ServiceSecurityContext.AuthorizationContext
        If authContext.ClaimSets Is Nothing Then
            Return False
        End If

        If authContext.ClaimSets.Count <> 1 Then
            Return False
        End If

        Dim myClaimSet = authContext.ClaimSets(0)
        If Not IssuedBySTS_B(myClaimSet) Then
            Return False
        End If
        If myClaimSet.Count <> 1 Then
            Return False
        End If
        Dim myClaim = myClaimSet(0)
        If myClaim.ClaimType = "http://www.tmpuri.org:accessAuthorized" Then
            Dim resource = TryCast(myClaim.Resource, String)
            If resource Is Nothing Then
                Return False
            End If
            If resource <> "true" Then
                Return False
            End If
            Return True
        Else
            Return False
        End If
    End Function

    ' This helper method checks whether SAML Token was issued by STS-B.     
    ' It compares the Thumbprint Claim of the Issuer against the 
    ' Certificate of STS-B. 
    Private Function IssuedBySTS_B(ByVal myClaimSet As ClaimSet) As Boolean
        Dim issuerClaimSet = myClaimSet.Issuer
        If issuerClaimSet Is Nothing Then
            Return False
        End If
        If issuerClaimSet.Count <> 1 Then
            Return False
        End If
        Dim issuerClaim = issuerClaimSet(0)
        If issuerClaim.ClaimType <> ClaimTypes.Thumbprint Then
            Return False
        End If
        If issuerClaim.Resource Is Nothing Then
            Return False
        End If
        Dim claimThumbprint() = CType(issuerClaim.Resource, Byte())
        ' It is assumed that stsB_Certificate is a variable of type 
        ' X509Certificate2 that is initialized with the Certificate of 
        ' STS-B.
        Dim stsB_Certificate = GetStsBCertificate()
        Dim certThumbprint() = stsB_Certificate.GetCertHash()
        If claimThumbprint.Length <> certThumbprint.Length Then
            Return False
        End If
        For i = 0 To claimThumbprint.Length - 1
            If claimThumbprint(i) <> certThumbprint(i) Then
                Return False
            End If
        Next i
        Return True
    End Function

Remarks

一般而言,應用程式應該會覆寫 CheckAccessCore,而不是覆寫這個方法。In general, applications should override CheckAccessCore instead of this method.

如果應用程式是為結果 CheckAccess 與不同一組原則建立關聯或引入不同一組原則,則覆寫 ServiceSecurityContext,否則請提供不同的原則評估 (鏈結) 模型。Override CheckAccess if the application associates or introduces a different set of policies for the resulting ServiceSecurityContext or provide a different policy evaluation (chaining) model.

這個方法會負責呼叫 CheckAccessCoreThis method is responsible for calling CheckAccessCore.

CheckAccess(OperationContext, Message)

檢查在需要存取訊息時的作業內容授權。Checks authorization for the given operation context when access to a message is required.

public:
 virtual bool CheckAccess(System::ServiceModel::OperationContext ^ operationContext, System::ServiceModel::Channels::Message ^ % message);
public virtual bool CheckAccess (System.ServiceModel.OperationContext operationContext, ref System.ServiceModel.Channels.Message message);
abstract member CheckAccess : System.ServiceModel.OperationContext * Message -> bool
override this.CheckAccess : System.ServiceModel.OperationContext * Message -> bool
Public Overridable Function CheckAccess (operationContext As OperationContext, ByRef message As Message) As Boolean

Parameters

message
Message

要檢查以決定授權的 MessageThe Message to be examined to determine authorization.

Returns

Boolean

如果授與存取權,則為 true,否則為 falsetrue if access is granted; otherwise, false. 預設值為 trueThe default is true.

Examples

下列程式碼將示範如何覆寫這個方法,以強制執行需要存取訊息本文的自訂存取控制需求。The following code shows how to override this method to enforce custom access control requirements that require access to the message body.

public class myService_M_AuthorizationManager : ServiceAuthorizationManager
{
    // set max size for message
    int someMaxSize = 16000;
    protected override bool CheckAccessCore(OperationContext operationContext, ref Message message)
    {
        bool accessAllowed = false;
        MessageBuffer requestBuffer = message.CreateBufferedCopy(someMaxSize);

        // do access checks using the message parameter value and set accessAllowed appropriately
        if (accessAllowed)
        {
            // replace incoming message with fresh copy since accessing the message consumes it
            message = requestBuffer.CreateMessage();
        }
        return accessAllowed;
    }
}
Public Class myService_M_AuthorizationManager
    Inherits ServiceAuthorizationManager

    ' set max size for message
    Private someMaxSize As Integer = 16000

    Public Overrides Function CheckAccess(ByVal operationContext As OperationContext, _
                                          ByRef message As Message) As Boolean
        Dim accessAllowed = False
        Dim requestBuffer = Message.CreateBufferedCopy(someMaxSize)

        ' do access checks using the message parameter value and set accessAllowed appropriately
        If accessAllowed Then
            ' replace incoming message with fresh copy since accessing the message consumes it
            Message = requestBuffer.CreateMessage()
        End If
        Return accessAllowed
    End Function
End Class

Remarks

一般而言,應用程式應該會覆寫 CheckAccessCore,而不是覆寫這個方法,而這個方法應該只在授權決策與訊息本文相依時使用。In general, applications should override CheckAccessCore instead of this method, which should only be used if the authorization decision depends on the message body. 基於效能考量,如果可以,您應該重新設計應用程式,讓授權決策不需要存取訊息本文。Because of performance issues, if possible you should redesign your application so that the authorization decision does not require access to the message body.

如果應用程式是為結果 ServiceSecurityContextMessage 與不同一組原則建立關聯或引入不同一組原則,則覆寫這個方法,否則請提供不同的原則評估 (鏈結) 模型。Override this method if the application associates or introduces a different set of policies for the resulting ServiceSecurityContext and Message or provide a different policy evaluation (chaining) model.

這個方法會負責呼叫 CheckAccessCoreThis method is responsible for calling CheckAccessCore.

Applies to