locked
ClaimsAuthenticationManager is called for every GET

    Question

  • Hi all,

    I created a custom ClaimsAuthenticationManager to add new claims for the logged in user. Therefor I determine the name of the user and use a database lookup to get extra info about the user. That extra info is added to the claimset.

    This all works just fine. My problem is that the method Authenticate is called for every GET request, including css and images. HttpContext.Current.Items is empty each time Authenticate is called, leaving no option for caching data on the context.

    I am using the following configuration:

    <

     

    microsoft.identityModel>
     <
    service>
      <
    claimsAuthenticationManager type="MyClaimsAuthenticationManager, <assemblyname>"/>
     </
    service>
    </
    microsoft.identityModel

    >

     

     

    I am using MVC 3, so all content, like css and images goes to the Content folder. Even if I add the config below, still Authenticate is being called.

    <

     

     

    location path="Content">
     <
    system.web>
      <
    authorization>
       <
    allow users="*"/>
      </
    authorization>
     </
    system.web>
    </
    location>

    How can I minimize the calls the AuthenticationManager.Authenticate? I have read, it should only be called once in a session.

    Kind regards,

    Ronald

    mardi 7 juin 2011 14:57

Réponses

  • Hi,

    I've found a nice workaround for this problem.

    Instead of ClaimsAuthenticationManager we can use FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event. It behaves like expected ;-)

            void fam_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
                {
                    IClaimsPrincipal principal = e.ClaimsPrincipal;
    
                    try
                    {
                          //SQL connection / Claims injeciotn
    
    
                    }
                    catch
                    {
                          //Error
                    }
    
                }
    
    
    
    
    
    
    


     



    lundi 3 octobre 2011 07:32
  • Once you've added whatever claims you generating in the ClaimsAuthenticationManager, you need to serialize it with the SessionAuthenticationModule.

    See Example here

    • Marqué comme réponse RonaldK lundi 27 février 2012 18:26
    dimanche 26 février 2012 08:09

Toutes les réponses

  • Did you ever find a solution to this? I'm experiencing the exact same issue.

     

    Thanks,

    lundi 29 août 2011 13:42
  • Did you ever find a solution to this? I'm experiencing the exact same issue.

     

    Thanks,


    Hi,

    No, I did not. However, I did start using an authentication cookie, see http://stackoverflow.com/questions/5997848/adding-claims-based-authorization-to-mvc-3/6067309#6067309.

    This does work on IIS 6.0, however, after migrating to IIS 7/7.5 an other error occurred ("Invalid token for impersonation - it cannot be duplicated"). Still have to investigate that one...

    Kind regards

    mercredi 7 septembre 2011 20:31
  • Hi,

    I encountered the exact same problem today. (IIS 7.5 MVC 3)  Did anyone solve this issue or have a clue where to look for the cause ?

    mercredi 21 septembre 2011 09:20
  • Hi Gregorz,

    According to http://msdn.microsoft.com/en-us/library/ee748487.aspx, it should be called once a session. As stated, that is not the case.

    Depending on the type of files, you could consider making them publicly accessable. With IIS 7, you should not use ASP.NET securtiy, rather use IIS security, URL authorization: http://technet.microsoft.com/nl-nl/library/cc772206(WS.10).aspx

    I still hope someone can come up with a solution to the problem..

    HTH

     

    Ronald

    mercredi 21 septembre 2011 10:36
  • Hi,

    I've found a nice workaround for this problem.

    Instead of ClaimsAuthenticationManager we can use FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event. It behaves like expected ;-)

            void fam_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
                {
                    IClaimsPrincipal principal = e.ClaimsPrincipal;
    
                    try
                    {
                          //SQL connection / Claims injeciotn
    
    
                    }
                    catch
                    {
                          //Error
                    }
    
                }
    
    
    
    
    
    
    


     



    lundi 3 octobre 2011 07:32
  • Hi,

    I've found a nice workaround for this problem.

    Instead of ClaimsAuthenticationManager we can use FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event. It behaves like expected ;-)

            void fam_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
                {
                    IClaimsPrincipal principal = e.ClaimsPrincipal;
    
                    try
                    {
                          //SQL connection / Claims injeciotn
    
    
                    }
                    catch
                    {
                          //Error
                    }
    
                }
    
    
    
    
    
    
    
    


     




    Thanks for sharing your solution. Although, I did not try it myself yet, I already marked you post as answer.
    • Proposé comme réponse DeLux_247 vendredi 23 mars 2012 14:58
    lundi 3 octobre 2011 07:39
  • Once you've added whatever claims you generating in the ClaimsAuthenticationManager, you need to serialize it with the SessionAuthenticationModule.

    See Example here

    • Marqué comme réponse RonaldK lundi 27 février 2012 18:26
    dimanche 26 février 2012 08:09
  • I did this in the global.asax file. Works like a champ..

    Thanks

    vendredi 23 mars 2012 14:58
  • I did the claims injection with an additional, custom HttpModule.  The claims are injected AuthenticateRequest, where the Session is available.  This way I obtain the claims from the DB only once and cache in the Session.
    I did this in the context of turning IPrincipal into IClaimsPrincipal.  Blog post here:
    http://blogs.dotnetkicks.com/eduardo/2012/07/10/claim-based-security-with-asp-net-membership-providers/

    I stayed away from the ClaimsAuthenticationManager because it would get called for every GET.
    • Modifié egomezr mardi 10 juillet 2012 20:38
    mardi 10 juillet 2012 20:21