ClaimsAuthenticationManager is called for every GET

Tuesday, June 07, 2011 2:57 PM

0

Hi all,

I created a custom ClaimsAuthenticationManager to add new claims for the logged in user. Therefor I determine the name of the user and use a database lookup to get extra info about the user. That extra info is added to the claimset.

This all works just fine. My problem is that the method Authenticate is called for every GET request, including css and images. HttpContext.Current.Items is empty each time Authenticate is called, leaving no option for caching data on the context.

I am using the following configuration:

<

microsoft.identityModel>
<service>
<claimsAuthenticationManager type="MyClaimsAuthenticationManager, <assemblyname>"/>
</service>
</microsoft.identityModel

>

I am using MVC 3, so all content, like css and images goes to the Content folder. Even if I add the config below, still Authenticate is being called.

<

location path="Content">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
How can I minimize the calls the AuthenticationManager.Authenticate? I have read, it should only be called once in a session.

Kind regards,

Ronald

All Replies

Monday, August 29, 2011 1:42 PM

0

Did you ever find a solution to this? I'm experiencing the exact same issue.

Thanks,
Wednesday, September 07, 2011 8:31 PM

0

Did you ever find a solution to this? I'm experiencing the exact same issue.

Thanks,

Hi,

No, I did not. However, I did start using an authentication cookie, see http://stackoverflow.com/questions/5997848/adding-claims-based-authorization-to-mvc-3/6067309#6067309.

This does work on IIS 6.0, however, after migrating to IIS 7/7.5 an other error occurred ("Invalid token for impersonation - it cannot be duplicated"). Still have to investigate that one...

Kind regards
Wednesday, September 21, 2011 9:20 AM

0

Hi,

I encountered the exact same problem today. (IIS 7.5 MVC 3) Did anyone solve this issue or have a clue where to look for the cause ?
Wednesday, September 21, 2011 10:36 AM

0

Hi Gregorz,

According to http://msdn.microsoft.com/en-us/library/ee748487.aspx, it should be called once a session. As stated, that is not the case.

Depending on the type of files, you could consider making them publicly accessable. With IIS 7, you should not use ASP.NET securtiy, rather use IIS security, URL authorization: http://technet.microsoft.com/nl-nl/library/cc772206(WS.10).aspx

I still hope someone can come up with a solution to the problem..

HTH

Ronald
Monday, October 03, 2011 7:32 AM

0
Hi,

I've found a nice workaround for this problem.

Instead of ClaimsAuthenticationManager we can use FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event. It behaves like expected ;-)
```
        void fam_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
            {
                IClaimsPrincipal principal = e.ClaimsPrincipal;

                try
                {
                      //SQL connection / Claims injeciotn


                }
                catch
                {
                      //Error
                }

            }
```
- Edited by Grzegorz Banczak Monday, October 03, 2011 7:33 AM
- Edited by Grzegorz Banczak Monday, October 03, 2011 7:34 AM
- Marked As Answer by RonaldK Monday, October 03, 2011 7:38 AM

Monday, October 03, 2011 7:39 AM

Hi,

I've found a nice workaround for this problem.

Instead of ClaimsAuthenticationManager we can use FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event. It behaves like expected ;-)

        void fam_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
            {
                IClaimsPrincipal principal = e.ClaimsPrincipal;

                try
                {
                      //SQL connection / Claims injeciotn


                }
                catch
                {
                      //Error
                }

            }

Thanks for sharing your solution. Although, I did not try it myself yet, I already marked you post as answer.

Proposed As Answer by DeLux_247 Friday, March 23, 2012 2:58 PM

Sunday, February 26, 2012 8:09 AM

0
Once you've added whatever claims you generating in the ClaimsAuthenticationManager, you need to serialize it with the SessionAuthenticationModule.

See Example here
- Marked As Answer by RonaldK Monday, February 27, 2012 6:26 PM
Friday, March 23, 2012 2:58 PM

0

I did this in the global.asax file. Works like a champ..

Thanks
Tuesday, July 10, 2012 8:21 PM

0
I did the claims injection with an additional, custom HttpModule. The claims are injected AuthenticateRequest, where the Session is available. This way I obtain the claims from the DB only once and cache in the Session.
I did this in the context of turning IPrincipal into IClaimsPrincipal. Blog post here:
http://blogs.dotnetkicks.com/eduardo/2012/07/10/claim-based-security-with-asp-net-membership-providers/
I stayed away from the ClaimsAuthenticationManager because it would get called for every GET.
- Edited by egomezr Tuesday, July 10, 2012 8:38 PM