ClaimsAuthenticationManager is called for every GET

Question

Hi all,

I created a custom ClaimsAuthenticationManager to add new claims for the logged in user. Therefor I determine the name of the user and use a database lookup to get extra info about the user. That extra info is added to the claimset.

This all works just fine. My problem is that the method Authenticate is called for every GET request, including css and images. HttpContext.Current.Items is empty each time Authenticate is called, leaving no option for caching data on the context.

I am using the following configuration:

<

 

microsoft.identityModel>
 <service>
  <claimsAuthenticationManager type="MyClaimsAuthenticationManager, <assemblyname>"/>
 </service>
</microsoft.identityModel

>

 

 

I am using MVC 3, so all content, like css and images goes to the Content folder. Even if I add the config below, still Authenticate is being called.

<

 

 

location path="Content">
 <system.web>
  <authorization>
   <allow users="*"/>
  </authorization>
 </system.web>
</location>

How can I minimize the calls the AuthenticationManager.Authenticate? I have read, it should only be called once in a session.

Kind regards,

Ronald

Answer 1

Did you ever find a solution to this? I'm experiencing the exact same issue.

 

Thanks,

Answer 2

Did you ever find a solution to this? I'm experiencing the exact same issue.

 

Thanks,

Hi,

No, I did not. However, I did start using an authentication cookie, see http://stackoverflow.com/questions/5997848/adding-claims-based-authorization-to-mvc-3/6067309#6067309.

This does work on IIS 6.0, however, after migrating to IIS 7/7.5 an other error occurred ("Invalid token for impersonation - it cannot be duplicated"). Still have to investigate that one...

Kind regards

Answer 3

Hi,

I encountered the exact same problem today. (IIS 7.5 MVC 3)  Did anyone solve this issue or have a clue where to look for the cause ?

Answer 4

Hi Gregorz,

According to http://msdn.microsoft.com/en-us/library/ee748487.aspx, it should be called once a session. As stated, that is not the case.

Depending on the type of files, you could consider making them publicly accessable. With IIS 7, you should not use ASP.NET securtiy, rather use IIS security, URL authorization: http://technet.microsoft.com/nl-nl/library/cc772206(WS.10).aspx

I still hope someone can come up with a solution to the problem..

HTH

 

Ronald

Answer 5

Hi,

I've found a nice workaround for this problem.

Instead of ClaimsAuthenticationManager we can use FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event. It behaves like expected ;-)

        void fam_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
            {
                IClaimsPrincipal principal = e.ClaimsPrincipal;

                try
                {
                      //SQL connection / Claims injeciotn


                }
                catch
                {
                      //Error
                }

            }

 

Answer 6

Hi,

I've found a nice workaround for this problem.

Instead of ClaimsAuthenticationManager we can use FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenValidated event. It behaves like expected ;-)

        void fam_SecurityTokenValidated(object sender, SecurityTokenValidatedEventArgs e)
            {
                IClaimsPrincipal principal = e.ClaimsPrincipal;

                try
                {
                      //SQL connection / Claims injeciotn


                }
                catch
                {
                      //Error
                }

            }

 

Thanks for sharing your solution. Although, I did not try it myself yet, I already marked you post as answer.

Answer 7

Once you've added whatever claims you generating in the ClaimsAuthenticationManager, you need to serialize it with the SessionAuthenticationModule.

See Example here

Answer 8

I did this in the global.asax file. Works like a champ..

Thanks

Answer 9

I did the claims injection with an additional, custom HttpModule.  The claims are injected AuthenticateRequest, where the Session is available.  This way I obtain the claims from the DB only once and cache in the Session.
I did this in the context of turning IPrincipal into IClaimsPrincipal.  Blog post here:
http://blogs.dotnetkicks.com/eduardo/2012/07/10/claim-based-security-with-asp-net-membership-providers/

I stayed away from the ClaimsAuthenticationManager because it would get called for every GET.