locked
ClaimsAuthenticationManager is called for every GET

    Pergunta

  • Hi all,

    I created a custom ClaimsAuthenticationManager to add new claims for the logged in user. Therefor I determine the name of the user and use a database lookup to get extra info about the user. That extra info is added to the claimset.

    This all works just fine. My problem is that the method Authenticate is called for every GET request, including css and images. HttpContext.Current.Items is empty each time Authenticate is called, leaving no option for caching data on the context.

    I am using the following configuration:

    <

     

    microsoft.identityModel>
     <
    service>
      <
    claimsAuthenticationManager type="MyClaimsAuthenticationManager, <assemblyname>"/>
     </
    service>
    </
    microsoft.identityModel

    >

     

     

    I am using MVC 3, so all content, like css and images goes to the Content folder. Even if I add the config below, still Authenticate is being called.

    <

     

     

    location path="Content">
     <
    system.web>
      <
    authorization>
       <
    allow users="*"/>
      </
    authorization>
     </
    system.web>
    </
    location>

    How can I minimize the calls the AuthenticationManager.Authenticate? I have read, it should only be called once in a session.

    Kind regards,

    Ronald

    terça-feira, 7 de junho de 2011 14:57

Respostas

  • Hi,

    I've found a nice workaround for this problem.

    Instead of ClaimsAuthenticationManager we can use FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event. It behaves like expected ;-)

            void fam_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
                {
                    IClaimsPrincipal principal = e.ClaimsPrincipal;
    
                    try
                    {
                          //SQL connection / Claims injeciotn
    
    
                    }
                    catch
                    {
                          //Error
                    }
    
                }
    
    
    
    
    
    
    


     



    • Editado Grzegorz Banczak segunda-feira, 3 de outubro de 2011 07:34
    • Marcado como Resposta RonaldK segunda-feira, 3 de outubro de 2011 07:38
    segunda-feira, 3 de outubro de 2011 07:32
  • Once you've added whatever claims you generating in the ClaimsAuthenticationManager, you need to serialize it with the SessionAuthenticationModule.

    See Example here

    • Marcado como Resposta RonaldK segunda-feira, 27 de fevereiro de 2012 18:26
    domingo, 26 de fevereiro de 2012 08:09

Todas as Respostas

  • Did you ever find a solution to this? I'm experiencing the exact same issue.

     

    Thanks,

    segunda-feira, 29 de agosto de 2011 13:42
  • Did you ever find a solution to this? I'm experiencing the exact same issue.

     

    Thanks,


    Hi,

    No, I did not. However, I did start using an authentication cookie, see http://stackoverflow.com/questions/5997848/adding-claims-based-authorization-to-mvc-3/6067309#6067309.

    This does work on IIS 6.0, however, after migrating to IIS 7/7.5 an other error occurred ("Invalid token for impersonation - it cannot be duplicated"). Still have to investigate that one...

    Kind regards

    quarta-feira, 7 de setembro de 2011 20:31
  • Hi,

    I encountered the exact same problem today. (IIS 7.5 MVC 3)  Did anyone solve this issue or have a clue where to look for the cause ?

    quarta-feira, 21 de setembro de 2011 09:20
  • Hi Gregorz,

    According to http://msdn.microsoft.com/en-us/library/ee748487.aspx, it should be called once a session. As stated, that is not the case.

    Depending on the type of files, you could consider making them publicly accessable. With IIS 7, you should not use ASP.NET securtiy, rather use IIS security, URL authorization: http://technet.microsoft.com/nl-nl/library/cc772206(WS.10).aspx

    I still hope someone can come up with a solution to the problem..

    HTH

     

    Ronald

    quarta-feira, 21 de setembro de 2011 10:36
  • Hi,

    I've found a nice workaround for this problem.

    Instead of ClaimsAuthenticationManager we can use FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event. It behaves like expected ;-)

            void fam_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
                {
                    IClaimsPrincipal principal = e.ClaimsPrincipal;
    
                    try
                    {
                          //SQL connection / Claims injeciotn
    
    
                    }
                    catch
                    {
                          //Error
                    }
    
                }
    
    
    
    
    
    
    


     



    • Editado Grzegorz Banczak segunda-feira, 3 de outubro de 2011 07:34
    • Marcado como Resposta RonaldK segunda-feira, 3 de outubro de 2011 07:38
    segunda-feira, 3 de outubro de 2011 07:32
  • Hi,

    I've found a nice workaround for this problem.

    Instead of ClaimsAuthenticationManager we can use FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event. It behaves like expected ;-)

            void fam_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
                {
                    IClaimsPrincipal principal = e.ClaimsPrincipal;
    
                    try
                    {
                          //SQL connection / Claims injeciotn
    
    
                    }
                    catch
                    {
                          //Error
                    }
    
                }
    
    
    
    
    
    
    
    


     




    Thanks for sharing your solution. Although, I did not try it myself yet, I already marked you post as answer.
    • Sugerido como Resposta DeLux_247 sexta-feira, 23 de março de 2012 14:58
    segunda-feira, 3 de outubro de 2011 07:39
  • Once you've added whatever claims you generating in the ClaimsAuthenticationManager, you need to serialize it with the SessionAuthenticationModule.

    See Example here

    • Marcado como Resposta RonaldK segunda-feira, 27 de fevereiro de 2012 18:26
    domingo, 26 de fevereiro de 2012 08:09
  • I did this in the global.asax file. Works like a champ..

    Thanks

    sexta-feira, 23 de março de 2012 14:58
  • I did the claims injection with an additional, custom HttpModule.  The claims are injected AuthenticateRequest, where the Session is available.  This way I obtain the claims from the DB only once and cache in the Session.
    I did this in the context of turning IPrincipal into IClaimsPrincipal.  Blog post here:
    http://blogs.dotnetkicks.com/eduardo/2012/07/10/claim-based-security-with-asp-net-membership-providers/

    I stayed away from the ClaimsAuthenticationManager because it would get called for every GET.
    • Editado egomezr terça-feira, 10 de julho de 2012 20:38
    terça-feira, 10 de julho de 2012 20:21