ServiceAuthorizationManager 類別

定義

提供服務作業的授權存取檢查。Provides authorization access checking for service operations.

public ref class ServiceAuthorizationManager
public class ServiceAuthorizationManager
type ServiceAuthorizationManager = class
Public Class ServiceAuthorizationManager
繼承
ServiceAuthorizationManager

範例

下列範例會示範名為 MyServiceAuthorizationManager 的類別,此類別繼承自 ServiceAuthorizationManager,而且會覆寫 CheckAccessCore 方法。The following example shows a class named MyServiceAuthorizationManager that inherits from the ServiceAuthorizationManager and overrides the CheckAccessCore method.

public class MyServiceAuthorizationManager : ServiceAuthorizationManager
{
  protected override bool CheckAccessCore(OperationContext operationContext)
  {
    // Extract the action URI from the OperationContext. Match this against the claims
    // in the AuthorizationContext.
    string action = operationContext.RequestContext.RequestMessage.Headers.Action;
  
    // Iterate through the various claim sets in the AuthorizationContext.
    foreach(ClaimSet cs in operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets)
    {
      // Examine only those claim sets issued by System.
      if (cs.Issuer == ClaimSet.System)
      {
        // Iterate through claims of type "http://www.contoso.com/claims/allowedoperation".
          foreach (Claim c in cs.FindClaims("http://www.contoso.com/claims/allowedoperation", Rights.PossessProperty))
        {
          // If the Claim resource matches the action URI then return true to allow access.
          if (action == c.Resource.ToString())
            return true;
        }
      }
    }
  
    // If this point is reached, return false to deny access.
    return false;
  }
}

Public Class MyServiceAuthorizationManager
    Inherits ServiceAuthorizationManager
    
    Protected Overrides Function CheckAccessCore(ByVal operationContext As OperationContext) As Boolean 
        ' Extract the action URI from the OperationContext. Match this against the claims.
        ' in the AuthorizationContext.
        Dim action As String = operationContext.RequestContext.RequestMessage.Headers.Action
        
        ' Iterate through the various claimsets in the AuthorizationContext.
        Dim cs As ClaimSet
        For Each cs In  operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets
            ' Examine only those claim sets issued by System.
            If cs.Issuer Is ClaimSet.System Then
                ' Iterate through claims of type "http://www.contoso.com/claims/allowedoperation".
                Dim c As Claim
                For Each c In  cs.FindClaims("http://www.contoso.com/claims/allowedoperation", _
                     Rights.PossessProperty)
                    ' If the Claim resource matches the action URI then return true to allow access.
                    If action = c.Resource.ToString() Then
                        Return True
                    End If
                Next c
            End If
        Next cs 
        ' If this point is reached, return false to deny access.
        Return False
    
    End Function 
End Class 

備註

這個類別會負責評估所有原則 (定義允許使用者執行之作業的規則)、比較原則與用戶端所做的宣告、將結果 AuthorizationContext 設定為 ServiceSecurityContext,以及提供是否允許或拒絕呼叫者存取已指定服務作業的授權決策。This class is responsible for evaluating all policies (rules that define what a user is allowed to do), comparing the policies to claims made by a client, setting the resulting AuthorizationContext to the ServiceSecurityContext, and providing the authorization decision whether to allow or deny access for a given service operation for a caller.

每次嘗試存取資源時,Windows Communication Foundation (WCF)基礎結構都會呼叫 CheckAccessCore 方法。The CheckAccessCore method is called by the Windows Communication Foundation (WCF) infrastructure each time an attempt to access a resource is made. 此方法會分別傳回 truefalse 以允許或拒絕存取。The method returns true or false to allow or deny access, respectively.

ServiceAuthorizationManager 是 WCF 身分識別模型基礎結構的一部分。The ServiceAuthorizationManager is part of the WCFIdentity Model infrastructure. 「身分識別模型」可讓您建立自訂授權原則和自訂授權配置。The Identity Model enables you to create custom authorization policies and custom authorization schemes. 如需身分識別模型運作方式的詳細資訊,請參閱使用身分識別模型來管理宣告與授權For more information about how the Identity Model works, see Managing Claims and Authorization with the Identity Model.

自訂授權Custom Authorization

這個類別不會執行任何授權,而且會允許使用者存取所有服務作業。This class does not perform any authorization and allows users to access all service operations. 若要提供更嚴格的授權,您必須建立會檢查自訂原則的自訂授權管理員。To provide more restrictive authorization, you must create a custom authorization manager that checks custom policies. 若要這樣做,請繼承自這個類別並覆寫 CheckAccessCore 方法。To do this, inherit from this class and override the CheckAccessCore method. 請透過 ServiceAuthorizationManager 屬性指定該衍生類別的執行個體。Specify the instance of the derived class through the ServiceAuthorizationManager property.

CheckAccessCore 中,應用程式可以使用 OperationContext 物件來存取呼叫者身分識別 (ServiceSecurityContext)。In CheckAccessCore, the application can use the OperationContext object to access the caller identity (ServiceSecurityContext).

藉由取得會傳回 IncomingMessageHeaders 物件的 MessageHeaders 屬性,應用程式便可以存取服務 (To) 和作業 (Action)。By getting the IncomingMessageHeaders property, which returns a MessageHeaders object, the application can access the service (To), and the operation (Action).

藉由取得會傳回 RequestContext 物件的 RequestContext 屬性,應用程式便可以存取整個要求訊息 (RequestMessage) 並據此執行授權決策。By getting the RequestContext property, which returns a RequestContext object, the application can access the entire request message (RequestMessage) and perform the authorization decision accordingly.

如需範例,請參閱如何:為服務建立自訂授權管理員For an example, see How to: Create a Custom Authorization Manager for a Service.

若要建立自訂授權原則,請實作 IAuthorizationPolicy 類別。To create custom authorization policies, implement the IAuthorizationPolicy class. 如需範例,請參閱如何:建立自訂授權原則For an example, see How to: Create a Custom Authorization Policy.

若要建立自訂宣告,請使用 Claim 類別。To create a custom claim, use the Claim class. 如需範例,請參閱如何:建立自訂宣告。For an example, see How to: Create a Custom Claim. 若要比較自訂宣告,您必須比較宣告,如如何:比較宣告中所示。To compare custom claims, you must compare claims, as shown in How to: Compare Claims.

如需詳細資訊,請參閱自訂授權For more information, see Custom Authorization.

您可以使用用戶端應用程式設定檔中的<serviceAuthorization> ,設定自訂授權管理員的類型。You can set the type of a custom authorization manager using the <serviceAuthorization> in a client application configuration file.

建構函式

ServiceAuthorizationManager()

ServiceAuthorizationManager 類別的新執行個體初始化。Initializes a new instance of the ServiceAuthorizationManager class.

方法

CheckAccess(OperationContext)

檢查指定作業內容的授權。Checks authorization for the given operation context.

CheckAccess(OperationContext, Message)

檢查在需要存取訊息時的作業內容授權。Checks authorization for the given operation context when access to a message is required.

CheckAccessCore(OperationContext)

檢查根據預設原則評估所指定作業內容的授權。Checks authorization for the given operation context based on default policy evaluation.

Equals(Object)

判斷指定的物件是否等於目前的物件。Determines whether the specified object is equal to the current object.

(繼承來源 Object)
GetAuthorizationPolicies(OperationContext)

取得參與原則評估的一組原則。Gets the set of policies that participate in policy evaluation.

GetHashCode()

做為預設雜湊函式。Serves as the default hash function.

(繼承來源 Object)
GetType()

取得目前執行個體的 TypeGets the Type of the current instance.

(繼承來源 Object)
MemberwiseClone()

建立目前 Object 的淺層複製。Creates a shallow copy of the current Object.

(繼承來源 Object)
ToString()

傳回代表目前物件的字串。Returns a string that represents the current object.

(繼承來源 Object)

適用於

另請參閱