locked
Questions about IAuthorizationPolicy.Evaluate method RRS feed

  • Question

  • In IAuthorizationPolicy is the following method:
    bool Evaluate(EvaluationContext evaluationContext, ref object state)

    I'm wondering exactly how the state parameter works here. In the help it says:

    "Implementers of the IAuthorizationPolicy interface can use the state parameter to track state between calls to the Evaluate method. If a state object is set inside a given call to the Evaluate method, the same object instance is passed to each and every subsequent call to the Evaluate method in the current evaluation process."


    The help then goes on to give an example of this. What I'm wondering is what is being referred to by the "current evaluation process" and why the Evaluate method might be called multiple times during this process.

    What I had imagined was that a single call to my WCF service would result in :
    1. Authentication firstly (maybe a username and password validator)
    2. A single call to the IAuthorizationPolicy.Evaluate method (why would it call this twice right)?
    3. A call to the AuthorizationManager to enforce any access control on the individual method being called in the service
    4. Finally the service method being executed

    But the paragraph above from the help docs gives me the impression that sometihng much sneakier is going on... Can anyone explain to me what is meant by the "current evaluation process" and in what circumstances the Evalute method of my custom IAuthorizationPolicy might be called twice?

    TIA

    Jimmy
    Wednesday, June 20, 2007 12:51 AM

Answers

  • Hm, I found some more info on this at:
      http://msdn2.microsoft.com/en-us/library/ms729794.aspx

    Here's the important bit that relates to my question:
    1. Two parameters are passed to this method: an instance of the EvaluationContext class and an object reference.

    2. If the custom authorization policy adds ClaimSet instances without regard to the current content of the EvaluationContext, then add each ClaimSet by calling the AddClaimSet method and return true from the Evaluate method. Returning true indicates to the authorization infrastructure that the authorization policy has performed its work and does not need to be called again.

    3. If the custom authorization policy adds claim sets only if certain claims are already present in the EvaluationContext, then look for those claims by examining the ClaimSet instances returned by the ClaimSets property. If the claims are present, then add the new claim sets by calling the AddClaimSet method and, if no more claim sets are to be added, return true, indicating to the authorization infrastructure that the authorization policy has completed its work. If the claims are not present, return false, indicating that the authorization policy should be called again if other authorization policies add more claim sets to the EvaluationContext.

    4. In more complex processing scenarios, the second parameter of the Evaluate method is used to store a state variable that the authorization infrastructure will pass back during each subsequent call to the Evaluate method for a particular evaluation.

    So it seems most of the complicated bits in that Evaluate method are simply to do with scenarios where you might have multiple Authorization Policies being applied.

    Jimmy
    Wednesday, June 20, 2007 10:30 AM

All replies

  • When returning false from Evaluate - you basically register for another pass - keep in mind that you can have multiple authorization policies and on the first pass there may be information missing for a particular policy to add the required information to the claim sets.

     

    The state paramter can be used to persist state between passes.

     

    I wouldn't worry too much about that - kind of an esoteric feature you probably won't need on a daily basis...

     

    Wednesday, June 20, 2007 4:48 AM
  • Hmm, interesting... what's the logic behind calling the Evaluate method before all the info is ready for this to be processed and what sort of info might be missing on the first call? I'm presuming this isn't simply to confuse people and there's a genuinely good reason for doing this (ever the optimist).

    Also, if you have multiple authorization policies, does the same state object get shared by each of these?

    Finally, do you know where I can find any extra reading on all of this?

    TIA

    Jimmy
    Wednesday, June 20, 2007 10:24 AM
  • Hm, I found some more info on this at:
      http://msdn2.microsoft.com/en-us/library/ms729794.aspx

    Here's the important bit that relates to my question:
    1. Two parameters are passed to this method: an instance of the EvaluationContext class and an object reference.

    2. If the custom authorization policy adds ClaimSet instances without regard to the current content of the EvaluationContext, then add each ClaimSet by calling the AddClaimSet method and return true from the Evaluate method. Returning true indicates to the authorization infrastructure that the authorization policy has performed its work and does not need to be called again.

    3. If the custom authorization policy adds claim sets only if certain claims are already present in the EvaluationContext, then look for those claims by examining the ClaimSet instances returned by the ClaimSets property. If the claims are present, then add the new claim sets by calling the AddClaimSet method and, if no more claim sets are to be added, return true, indicating to the authorization infrastructure that the authorization policy has completed its work. If the claims are not present, return false, indicating that the authorization policy should be called again if other authorization policies add more claim sets to the EvaluationContext.

    4. In more complex processing scenarios, the second parameter of the Evaluate method is used to store a state variable that the authorization infrastructure will pass back during each subsequent call to the Evaluate method for a particular evaluation.

    So it seems most of the complicated bits in that Evaluate method are simply to do with scenarios where you might have multiple Authorization Policies being applied.

    Jimmy
    Wednesday, June 20, 2007 10:30 AM