locked
AuthorizationContext parameter of ClaimsAuthorizationManager does not contain claims of incomingPrincipal

    Question

  • I'm missing something important in my MVC 4 Application.

    I am using passive ws-fed with my ACS.  Works beautifully.

    I have a simple Custom ClaimsAuthenticationManager where I do nothing but call the base.Authenticate().  When I set a breakpoint in this method and inspect the incommingPrincipal I can enumerate the Claims collection and see the claims that my ACS issued.

    Next

    I have a simple Custom ClaimsAuthorizationManager.  I have set a breakpoint in my CheckAccess method.  When I inspect the context.Principal and try to enumerate Claims collection the function times out.  It is trying to read my SQLProvider as in the old way of using a RoleProvider.

    BUT...  If I inspect the context.Principal.Identity.ClaimsPrincipal.m_instanceClaims I can enumerate the claims for the identity.  And the context.Principal.Identity.ClaimsPrincipal.Claims collection also enumerates and shows me the claims.

    And that seems weird to me.  At first I thought there was some disconnect with context.Principal being of type System.Web.Security.RolePrincipal and context.Principal.Identity.ClaimsPrincipal being of type System.Security.Claims.ClaimsPrincipal.  Except that context.Principal.Claims is calling System.Security.Claims.ClaimsPrincipal.getClaims(), which is the same as context.Principal.Identity.ClaimsPrincipal.Claims.

    I have to be missing something simple.


    Sharpester

    Thursday, March 07, 2013 5:39 PM

All replies

  • A bit of an update.  I am using WIF 4.5.  I did a little bit of reflection on the classes and RolePrincipal appears to be iterating over the Identities collection and populating Roles with all Claims from all Identities. 

    It's as if there is some sort of state corruption occurring.


    Sharpester

    Thursday, March 07, 2013 8:18 PM
  • Next update.  (Anyone out there?)

    I've found some more information that has me scratching my head.  In the above post the MVC 4 application template that I am using is the SPA template.  Which defaults to forms Auth and has support for several OAuth providers.

    When I use an Intranet template.  The problem goes away.  I do not get an External claims count.  And it doesn't try to use the AspNetSqlRoleProvider.

    However when I compare configuration and code files and attempt to comment out all of the differences, the SPA project still wants to use the AspNetSqlRoleProvider.

    I have removed the FormsAuthenticationModule in config and the AuthConfig in Global.asax.

    I've got to be missing something obvious.

    Anyone?


    Sharpester

    Sunday, March 10, 2013 9:25 PM
  • Alright boys and girls...

    Here's your answer.  The SPA template (and probably the Internet template) contain a reference to WebMatrix.WebData.  When you remove that reference, and the two files that depend on it(Controllers\AccountController.cs and Filters\InitializeSimpleMembershipAttribute.cs) then the principal that gets initialized by WIF is a ClaimsPrincipal and not a RolePrincipal.

    Oddly I was not successful simply excluding (Controllers\AccountController.cs and Filters\InitializeSimpleMembershipAttribute.cs) you must remove the reference to WebMatrix.WebData. 

    My suspicion is that WebMatrix.WebData is initializing a static and the pipeline is sensitive to it.  But I don't know for sure.


    Sharpester

    • Proposed as answer by jinweijiegmail Wednesday, March 13, 2013 11:18 PM
    Wednesday, March 13, 2013 9:48 PM
  • You can achieve the same thing setting the following appSetting in web.config:

    <addkey="enableSimpleMembership"value="true"/>

    Then you can still use other functionality in WebMatrix.WebData. For more information on what's going on, check my blogpost: http://michiel.vanotegem.nl/2013/05/31/FixClaimsAuthorizationManagerCheckAccessThrowsHttpException.aspx

    Friday, May 31, 2013 1:29 PM