2

I feel like I might be going down the wrong route here, and was hoping someone would be able to do a little course correcting!

I'm creating a web app which uses Windows Authentication. However, I wish to assign custom claims/roles to specific windows users, which I'm planning on storing in a SQL database.

I thought a way to do this would be to enable Windows Authentication in the web.config of my app, but to add an AuthenticationManager from WIF which can add custom claims (which come directly from the database) to the principal/identity. Then an AuthorizationManager would handle authorization to specific controller actions.

The problems I'm having right now is that my Authentication and AuthorizationManagers aren't being called. I'm not sure what I'm missing (they're registered in the web.config), but I suspect maybe it's because I'm using Windows Authentication...? Additionally, my Authorize attributes aren't calling the AuthorizationManager, possibly because I need to create a new attribute.

Is this a viable route to go down, or should I be looking at creating a custom RoleProvider instead?

dark_perfect
  • 1,458
  • 1
  • 23
  • 41

1 Answers1

2

The ClaimsAuthenticationManager is not called automatically - the FAM calls it.

That said - you can call it yourself, e.g. in Post_AuthenticateRequest and then set a cookie using the SAM. Thats totally doable.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • Thanks! I'm not entirely sure how this works though. I've managed to call my ClaimsAuthenticationManager from the Application_PostAuthenticateRequest method, and can write to a cookie with the SAM. How does the SAM load the claims from the cookie for every subsequent request, though? And this Application_PostAuthenticateRequest is called for each and every request - is there any way to lessen it's impact on the application? My ClaimsAuthenticationManager is retrieving roles from the database even on requests for images! If you have any examples, that would be ace! – dark_perfect Apr 09 '14 at 17:20
  • I found what I think is a good solution here: http://stackoverflow.com/questions/16904639/simple-claims-transformation-and-caching-w-windows-authentication – dark_perfect Apr 10 '14 at 00:55
  • 1
    You need to write the cookie and include the SAM module to read it. On the first request you should have a WindowsPrincipal, after you wrote the cookie you should have a plain ClaimsPrincipal. That's how you can optimize it. – leastprivilege Apr 12 '14 at 16:31