locked
ClaimsAuthenticationManager is called for every GET

    Question

  • Hi all,

    I created a custom ClaimsAuthenticationManager to add new claims for the logged in user. Therefor I determine the name of the user and use a database lookup to get extra info about the user. That extra info is added to the claimset.

    This all works just fine. My problem is that the method Authenticate is called for every GET request, including css and images. HttpContext.Current.Items is empty each time Authenticate is called, leaving no option for caching data on the context.

    I am using the following configuration:

    <

     

    microsoft.identityModel>
     <
    service>
      <
    claimsAuthenticationManager type="MyClaimsAuthenticationManager, <assemblyname>"/>
     </
    service>
    </
    microsoft.identityModel

    >

     

     

    I am using MVC 3, so all content, like css and images goes to the Content folder. Even if I add the config below, still Authenticate is being called.

    <

     

     

    location path="Content">
     <
    system.web>
      <
    authorization>
       <
    allow users="*"/>
      </
    authorization>
     </
    system.web>
    </
    location>

    How can I minimize the calls the AuthenticationManager.Authenticate? I have read, it should only be called once in a session.

    Kind regards,

    Ronald

    Tuesday, June 07, 2011 2:57 PM

Answers

  • Hi,

    I've found a nice workaround for this problem.

    Instead of ClaimsAuthenticationManager we can use FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event. It behaves like expected ;-)

            void fam_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
                {
                    IClaimsPrincipal principal = e.ClaimsPrincipal;
    
                    try
                    {
                          //SQL connection / Claims injeciotn
    
    
                    }
                    catch
                    {
                          //Error
                    }
    
                }
    
    
    
    
    
    
    


     



    • Edited by Grzegorz Banczak Monday, October 03, 2011 7:34 AM
    • Marked as answer by RonaldK Monday, October 03, 2011 7:38 AM
    Monday, October 03, 2011 7:32 AM
  • Once you've added whatever claims you generating in the ClaimsAuthenticationManager, you need to serialize it with the SessionAuthenticationModule.

    See Example here

    • Marked as answer by RonaldK Monday, February 27, 2012 6:26 PM
    Sunday, February 26, 2012 8:09 AM

All replies

  • Did you ever find a solution to this? I'm experiencing the exact same issue.

     

    Thanks,

    Monday, August 29, 2011 1:42 PM
  • Did you ever find a solution to this? I'm experiencing the exact same issue.

     

    Thanks,


    Hi,

    No, I did not. However, I did start using an authentication cookie, see http://stackoverflow.com/questions/5997848/adding-claims-based-authorization-to-mvc-3/6067309#6067309.

    This does work on IIS 6.0, however, after migrating to IIS 7/7.5 an other error occurred ("Invalid token for impersonation - it cannot be duplicated"). Still have to investigate that one...

    Kind regards

    Wednesday, September 07, 2011 8:31 PM
  • Hi,

    I encountered the exact same problem today. (IIS 7.5 MVC 3)  Did anyone solve this issue or have a clue where to look for the cause ?

    Wednesday, September 21, 2011 9:20 AM
  • Hi Gregorz,

    According to http://msdn.microsoft.com/en-us/library/ee748487.aspx, it should be called once a session. As stated, that is not the case.

    Depending on the type of files, you could consider making them publicly accessable. With IIS 7, you should not use ASP.NET securtiy, rather use IIS security, URL authorization: http://technet.microsoft.com/nl-nl/library/cc772206(WS.10).aspx

    I still hope someone can come up with a solution to the problem..

    HTH

     

    Ronald

    Wednesday, September 21, 2011 10:36 AM
  • Hi,

    I've found a nice workaround for this problem.

    Instead of ClaimsAuthenticationManager we can use FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event. It behaves like expected ;-)

            void fam_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
                {
                    IClaimsPrincipal principal = e.ClaimsPrincipal;
    
                    try
                    {
                          //SQL connection / Claims injeciotn
    
    
                    }
                    catch
                    {
                          //Error
                    }
    
                }
    
    
    
    
    
    
    


     



    • Edited by Grzegorz Banczak Monday, October 03, 2011 7:34 AM
    • Marked as answer by RonaldK Monday, October 03, 2011 7:38 AM
    Monday, October 03, 2011 7:32 AM
  • Hi,

    I've found a nice workaround for this problem.

    Instead of ClaimsAuthenticationManager we can use FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event. It behaves like expected ;-)

            void fam_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
                {
                    IClaimsPrincipal principal = e.ClaimsPrincipal;
    
                    try
                    {
                          //SQL connection / Claims injeciotn
    
    
                    }
                    catch
                    {
                          //Error
                    }
    
                }
    
    
    
    
    
    
    
    


     




    Thanks for sharing your solution. Although, I did not try it myself yet, I already marked you post as answer.
    • Proposed as answer by DeLux_247 Friday, March 23, 2012 2:58 PM
    Monday, October 03, 2011 7:39 AM
  • Once you've added whatever claims you generating in the ClaimsAuthenticationManager, you need to serialize it with the SessionAuthenticationModule.

    See Example here

    • Marked as answer by RonaldK Monday, February 27, 2012 6:26 PM
    Sunday, February 26, 2012 8:09 AM
  • I did this in the global.asax file. Works like a champ..

    Thanks

    Friday, March 23, 2012 2:58 PM
  • I did the claims injection with an additional, custom HttpModule.  The claims are injected AuthenticateRequest, where the Session is available.  This way I obtain the claims from the DB only once and cache in the Session.
    I did this in the context of turning IPrincipal into IClaimsPrincipal.  Blog post here:
    http://blogs.dotnetkicks.com/eduardo/2012/07/10/claim-based-security-with-asp-net-membership-providers/

    I stayed away from the ClaimsAuthenticationManager because it would get called for every GET.
    • Edited by egomezr Tuesday, July 10, 2012 8:38 PM
    Tuesday, July 10, 2012 8:21 PM