ServiceAuthorizationManager.CheckAccessCore(OperationContext) Method

Definition

檢查根據預設原則評估所指定作業內容的授權。Checks authorization for the given operation context based on default policy evaluation.

protected:
 virtual bool CheckAccessCore(System::ServiceModel::OperationContext ^ operationContext);
protected virtual bool CheckAccessCore (System.ServiceModel.OperationContext operationContext);
abstract member CheckAccessCore : System.ServiceModel.OperationContext -> bool
override this.CheckAccessCore : System.ServiceModel.OperationContext -> bool
Protected Overridable Function CheckAccessCore (operationContext As OperationContext) As Boolean

Parameters

operationContext
OperationContext

目前授權要求的 OperationContextThe OperationContext for the current authorization request.

Returns

Boolean

如果授與存取權,則為 true,否則為 falsetrue if access is granted; otherwise, false. 預設值為 trueThe default is true.

Examples

下例範例示範 CheckAccessCore 方法的覆寫。The following example shows an override of the CheckAccessCore method.

protected override bool CheckAccessCore(OperationContext operationContext)
{
  // Extract the action URI from the OperationContext. Match this against the claims
  // in the AuthorizationContext.
  string action = operationContext.RequestContext.RequestMessage.Headers.Action;

  // Iterate through the various claim sets in the AuthorizationContext.
  foreach(ClaimSet cs in operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets)
  {
    // Examine only those claim sets issued by System.
    if (cs.Issuer == ClaimSet.System)
    {
      // Iterate through claims of type "http://www.contoso.com/claims/allowedoperation".
        foreach (Claim c in cs.FindClaims("http://www.contoso.com/claims/allowedoperation", Rights.PossessProperty))
      {
        // If the Claim resource matches the action URI then return true to allow access.
        if (action == c.Resource.ToString())
          return true;
      }
    }
  }

  // If this point is reached, return false to deny access.
  return false;
}
Protected Overrides Function CheckAccessCore(ByVal operationContext As OperationContext) As Boolean 
    ' Extract the action URI from the OperationContext. Match this against the claims.
    ' in the AuthorizationContext.
    Dim action As String = operationContext.RequestContext.RequestMessage.Headers.Action
    
    ' Iterate through the various claimsets in the AuthorizationContext.
    Dim cs As ClaimSet
    For Each cs In  operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets
        ' Examine only those claim sets issued by System.
        If cs.Issuer Is ClaimSet.System Then
            ' Iterate through claims of type "http://www.contoso.com/claims/allowedoperation".
            Dim c As Claim
            For Each c In  cs.FindClaims("http://www.contoso.com/claims/allowedoperation", _
                 Rights.PossessProperty)
                ' If the Claim resource matches the action URI then return true to allow access.
                If action = c.Resource.ToString() Then
                    Return True
                End If
            Next c
        End If
    Next cs 
    ' If this point is reached, return false to deny access.
    Return False

End Function 

如需其他範例,請參閱如何:為服務建立自訂授權管理員For another example, see How to: Create a Custom Authorization Manager for a Service.

Remarks

ServiceSecurityContext 通常是預設原則評估產生的結果。ServiceSecurityContext is generally the result from the default policy evaluation.

覆寫這個方法,即可提供自訂授權決策。Override this method to provide custom authorization decisions.

這個方法可用於建立以宣告集為基礎的授權決策,該宣告集的取得方式是依傳入權杖推斷或是透過外部授權原則新增。This method can be used to make authorization decisions based on claim sets that are inferred based on incoming tokens, or added through external authorization policies. 它也可以根據傳入訊息的屬性來建立授權決策,例如動作標頭等屬性。It can also make authorization decisions based on properties of the incoming message: for example, the action header.

使用這個方法時,應用程式可以使用 operationContext 參數來存取呼叫者身分識別 (ServiceSecurityContext)。In this method, the application can use the operationContext parameter to access the caller identity (ServiceSecurityContext). 藉由從 RequestContext 屬性傳回 RequestContext 物件,應用程式便可以存取整個要求訊息 (RequestMessage)。By returning the RequestContext object from the RequestContext property, the application can access the entire request message (RequestMessage). 藉由從 MessageHeaders 屬性傳回 IncomingMessageHeaders 物件,應用程式便可以存取服務 URL (To) 和作業 (Action)。By returning the MessageHeaders object from the IncomingMessageHeaders property, the application can access the service URL (To) and the operation (Action). 使用這份資訊,應用程式便可以據此執行授權決策。With this information, the application can perform the authorization decision accordingly.

使用者所做的宣告會在由 ClaimSetClaimSets 屬性所傳回的 AuthorizationContext 中找到。The claims made by a user are found in the ClaimSet returned by the ClaimSets property of the AuthorizationContext. 目前的 AuthorizationContext 是由 ServiceSecurityContext 類別之 OperationContext 屬性所傳回。The current AuthorizationContext is returned by the ServiceSecurityContext property of the OperationContext class.

Applies to