Exemple #1
0
        private void CheckClaims(string claimType, string resource)
        {
            IClaimsPrincipal claimsPrincipal = Thread.CurrentPrincipal as IClaimsPrincipal;

            if (claimsPrincipal == null)
            {
                throw new SecurityException("Access is denied. Security principal should be a IClaimsPrincipal type.");
            }

            Claim        issuerName   = Claim.CreateNameClaim(ClaimsAuthorizationPolicy.IssuerName);
            List <Claim> issuerClaims = new List <Claim>();

            issuerClaims.Add(issuerName);

            List <Claim> requiredClaims = new List <Claim>();

            requiredClaims.Add(new Claim(claimType, resource, Rights.PossessProperty));

            DefaultClaimSet claimSet = new DefaultClaimSet(new DefaultClaimSet(issuerClaims), requiredClaims);

            if (!claimsPrincipal.HasRequiredClaims(claimSet))
            {
                throw new SecurityException("Access is denied. Security principal does not satisfy required claims.");
            }
        }
Exemple #2
0
        /// <summary>
        /// If IsAuthenticated was set on the permission,
        ///   check the thread's principal is authenticated
        /// If Claims WERE NOT provided, don't check them
        /// If Claims WERE provided, check the thread's principal
        ///   make sure it is an IClaimsPrincipal
        ///   check for an issuer match,
        ///   check that required claims are present
        /// </summary>
        /// <param name="principal"></param>
        public void CheckClaims(IClaimsPrincipal principal)
        {
            IPrincipal p = principal as IPrincipal;

            if (this.m_isAuthenticated && !p.Identity.IsAuthenticated)
            {
                throw new SecurityException("Access is denied. Security principal is not authenticated.");
            }

            if (this.m_requiredClaims == null)
            {
                return;
            }

            if (!principal.HasRequiredClaims(this.m_requiredClaims))
            {
                throw new SecurityException("Access is denied. Security principal does not satisfy required claims.");
            }
        }
Exemple #3
0
        public void CheckClaims(IClaimsPrincipal principal)
        {
            IPrincipal p = principal as IPrincipal;

            if (this.m_isAuthenticated && !p.Identity.IsAuthenticated)
            {
                throw new SecurityException("Access is denied. Security principal is not authenticated.");
            }


            if (m_issuer != null)
            {
                Claim c = Claim.CreateNameClaim(m_issuer);
                if (!principal.Issuer.ContainsClaim(c))
                {
                    throw new SecurityException("Access is denied. Invalid claims issuer.");
                }
            }

            if (this.m_requiredClaims.Count == 0)
            {
                return;
            }

            List <Claim> claims = new List <Claim>();

            foreach (string s in this.m_requiredClaims)
            {
                claims.Add(new Claim(s, ClaimsAuthorizationPolicy.Resources.Application, Rights.PossessProperty));
            }

            DefaultClaimSet claimSet = new DefaultClaimSet(claims);

            if (!principal.HasRequiredClaims(claimSet))
            {
                throw new SecurityException("Access is denied. Security principal does not satisfy required claims.");
            }
        }
Exemple #4
0
        /// <summary>
        /// Throws a System.Security.SecurityException at run time if the security requirement is not met.
        /// </summary>
        public void Demand()
        {
            // The operation is rejected if the Principal hasn't been set by the customer Authentication Manager.
            IClaimsPrincipal iClaimsPrincipal = Thread.CurrentPrincipal as IClaimsPrincipal;

            if (iClaimsPrincipal == null)
            {
                throw new SecurityException("Access is denied. Security principal should be a IClaimSetPrincipal type.");
            }

            // If the permission requires the user to be authenticated and they aren't, then throw the exception back at the
            // caller.
            if (this.isAuthenticated && !iClaimsPrincipal.Identity.IsAuthenticated)
            {
                throw new SecurityException("Access is denied. Security principal is not authenticated.");
            }

            // If claims are required for access to some resource and the principal doesn't supply them, then throw the operation
            // back at the caller.
            if (this.requiredClaims != null && !iClaimsPrincipal.HasRequiredClaims(this.requiredClaims))
            {
                throw new SecurityException("Access is denied. Security principal does not satisfy required claims.");
            }
        }
Exemple #5
0
        /// <summary>
        /// Check if the user is a business type user and if he has access to the requested business
        /// </summary>
        /// <param name="principal"></param>
        /// <param name="businessId"></param>
        /// <returns>True if user has access</returns>
        private bool CheckBusinessUser(IClaimsPrincipal  principal, long businessId)
        {
            // Calculate if the current user has right on business
            bool isBusinessUser = principal.HasRequiredClaims(new DefaultClaimSet(Claim.CreateNameClaim(ClaimType.RIGHT_ON_BUSINESS)));

            if (isBusinessUser &&
                OperationContext.Current.IncomingMessageProperties != null)
            {
                MembershipUser user = Membership.GetUser(GetUserName());
                List<long> businessIds = new List<long>();
                if (user != null)
                {
                    businessIds = userManager.GetBusinessesForUser((Guid) user.ProviderUserKey);
                }
                // Check the Business User is accessing one of his own businesses
                long primaryBusinessId =
                    Convert.ToInt64(operationContextManager.GetIncomingMessageProperty(PRIMARY_BUSINESS_ID));
                if (primaryBusinessId == businessId ||
                    businessIds.Any(bid => bid == businessId))
                {
                    return true;
                }
            }

            if (isBusinessUser)
            {
                // Business User that is trying to access business other than his primary
                throw new AccessDeniedException(ErrorFactory.CreateAndLogError(Errors.SRVEX20001,
                                                                              "eviivo.Eagle.Services.Core.AbstractService.CheckAccessRights",
                                                                               "No access to business or region.", arguments: new object[] { businessId }));
            }

            // User is not a business user
            return false;
        }
Exemple #6
0
        /// <summary>
        /// Checks the claims for a given claims principal
        /// </summary>
        /// <param name="principal">Claims Principal</param>
        /// <remarks> Throws a <see cref="T:Eviivo.Business.Exceptions.AccessDeniedException"/> at run time if the security requirement is not met. </remarks>
        public void CheckClaims(IClaimsPrincipal principal)
        {
            //If the IsAuthenticated property is set to true, it checks to see that the current principal 
            //is authenticated.
            System.Security.Principal.IIdentity identity = principal.Identity;
            if (principal != null && isAuthenticated && !identity.IsAuthenticated)
            {
                throw new AccessDeniedException(ErrorFactory.CreateAndLogError(Errors.SRVEX20001, "ClaimsPrincipalPermission.CheckClaims", "Security principal is not authenticated.", arguments: new object[] { principal.Identity.Name, requiredClaims }));
            }
            //If the RequiredClaims property is null, it does not check any further, and the demand is complete, 
            //otherwise, the requirements for issuer and claims are verified.
            if (this.requiredClaims == null)
            {
                return;
            }

            //The Issuer is checked next. When the RequiredClaims property is set, a ClaimSet is provided which 
            //includes a ClaimSet for the Issuer. The assumption here is that the developer has provided one or 
            //more identifying claims about the required Issuer. If one of these claims is matched by the Issuer 
            //of the security principal’s claims, then we have a match.
            //Once an Issuer match is verified the list of required claims are checked. All required claims must
            //be present in the RequiredClaims ClaimSet, or the demand fails.
            if (principal != null && !principal.HasRequiredClaims(this.requiredClaims))
            {
                throw new AccessDeniedException(ErrorFactory.CreateAndLogError(Errors.SRVEX20001, "ClaimsPrincipalPermission.CheckClaims", "Security principal does not satisfy required claims.", arguments: new object[] { identity.Name, principal.Claims.Select(c => c.Resource.ToString()).ToArray().Serialize(), requiredClaims.Select(c => c.Resource.ToString()).ToArray().Serialize() }));
            }
        }