private void CheckClaims(string claimType, string resource) { IClaimsPrincipal claimsPrincipal = Thread.CurrentPrincipal as IClaimsPrincipal; if (claimsPrincipal == null) { throw new SecurityException("Access is denied. Security principal should be a IClaimsPrincipal type."); } Claim issuerName = Claim.CreateNameClaim(ClaimsAuthorizationPolicy.IssuerName); List <Claim> issuerClaims = new List <Claim>(); issuerClaims.Add(issuerName); List <Claim> requiredClaims = new List <Claim>(); requiredClaims.Add(new Claim(claimType, resource, Rights.PossessProperty)); DefaultClaimSet claimSet = new DefaultClaimSet(new DefaultClaimSet(issuerClaims), requiredClaims); if (!claimsPrincipal.HasRequiredClaims(claimSet)) { throw new SecurityException("Access is denied. Security principal does not satisfy required claims."); } }
/// <summary> /// If IsAuthenticated was set on the permission, /// check the thread's principal is authenticated /// If Claims WERE NOT provided, don't check them /// If Claims WERE provided, check the thread's principal /// make sure it is an IClaimsPrincipal /// check for an issuer match, /// check that required claims are present /// </summary> /// <param name="principal"></param> public void CheckClaims(IClaimsPrincipal principal) { IPrincipal p = principal as IPrincipal; if (this.m_isAuthenticated && !p.Identity.IsAuthenticated) { throw new SecurityException("Access is denied. Security principal is not authenticated."); } if (this.m_requiredClaims == null) { return; } if (!principal.HasRequiredClaims(this.m_requiredClaims)) { throw new SecurityException("Access is denied. Security principal does not satisfy required claims."); } }
public void CheckClaims(IClaimsPrincipal principal) { IPrincipal p = principal as IPrincipal; if (this.m_isAuthenticated && !p.Identity.IsAuthenticated) { throw new SecurityException("Access is denied. Security principal is not authenticated."); } if (m_issuer != null) { Claim c = Claim.CreateNameClaim(m_issuer); if (!principal.Issuer.ContainsClaim(c)) { throw new SecurityException("Access is denied. Invalid claims issuer."); } } if (this.m_requiredClaims.Count == 0) { return; } List <Claim> claims = new List <Claim>(); foreach (string s in this.m_requiredClaims) { claims.Add(new Claim(s, ClaimsAuthorizationPolicy.Resources.Application, Rights.PossessProperty)); } DefaultClaimSet claimSet = new DefaultClaimSet(claims); if (!principal.HasRequiredClaims(claimSet)) { throw new SecurityException("Access is denied. Security principal does not satisfy required claims."); } }
/// <summary> /// Throws a System.Security.SecurityException at run time if the security requirement is not met. /// </summary> public void Demand() { // The operation is rejected if the Principal hasn't been set by the customer Authentication Manager. IClaimsPrincipal iClaimsPrincipal = Thread.CurrentPrincipal as IClaimsPrincipal; if (iClaimsPrincipal == null) { throw new SecurityException("Access is denied. Security principal should be a IClaimSetPrincipal type."); } // If the permission requires the user to be authenticated and they aren't, then throw the exception back at the // caller. if (this.isAuthenticated && !iClaimsPrincipal.Identity.IsAuthenticated) { throw new SecurityException("Access is denied. Security principal is not authenticated."); } // If claims are required for access to some resource and the principal doesn't supply them, then throw the operation // back at the caller. if (this.requiredClaims != null && !iClaimsPrincipal.HasRequiredClaims(this.requiredClaims)) { throw new SecurityException("Access is denied. Security principal does not satisfy required claims."); } }
/// <summary> /// Check if the user is a business type user and if he has access to the requested business /// </summary> /// <param name="principal"></param> /// <param name="businessId"></param> /// <returns>True if user has access</returns> private bool CheckBusinessUser(IClaimsPrincipal principal, long businessId) { // Calculate if the current user has right on business bool isBusinessUser = principal.HasRequiredClaims(new DefaultClaimSet(Claim.CreateNameClaim(ClaimType.RIGHT_ON_BUSINESS))); if (isBusinessUser && OperationContext.Current.IncomingMessageProperties != null) { MembershipUser user = Membership.GetUser(GetUserName()); List<long> businessIds = new List<long>(); if (user != null) { businessIds = userManager.GetBusinessesForUser((Guid) user.ProviderUserKey); } // Check the Business User is accessing one of his own businesses long primaryBusinessId = Convert.ToInt64(operationContextManager.GetIncomingMessageProperty(PRIMARY_BUSINESS_ID)); if (primaryBusinessId == businessId || businessIds.Any(bid => bid == businessId)) { return true; } } if (isBusinessUser) { // Business User that is trying to access business other than his primary throw new AccessDeniedException(ErrorFactory.CreateAndLogError(Errors.SRVEX20001, "eviivo.Eagle.Services.Core.AbstractService.CheckAccessRights", "No access to business or region.", arguments: new object[] { businessId })); } // User is not a business user return false; }
/// <summary> /// Checks the claims for a given claims principal /// </summary> /// <param name="principal">Claims Principal</param> /// <remarks> Throws a <see cref="T:Eviivo.Business.Exceptions.AccessDeniedException"/> at run time if the security requirement is not met. </remarks> public void CheckClaims(IClaimsPrincipal principal) { //If the IsAuthenticated property is set to true, it checks to see that the current principal //is authenticated. System.Security.Principal.IIdentity identity = principal.Identity; if (principal != null && isAuthenticated && !identity.IsAuthenticated) { throw new AccessDeniedException(ErrorFactory.CreateAndLogError(Errors.SRVEX20001, "ClaimsPrincipalPermission.CheckClaims", "Security principal is not authenticated.", arguments: new object[] { principal.Identity.Name, requiredClaims })); } //If the RequiredClaims property is null, it does not check any further, and the demand is complete, //otherwise, the requirements for issuer and claims are verified. if (this.requiredClaims == null) { return; } //The Issuer is checked next. When the RequiredClaims property is set, a ClaimSet is provided which //includes a ClaimSet for the Issuer. The assumption here is that the developer has provided one or //more identifying claims about the required Issuer. If one of these claims is matched by the Issuer //of the security principal’s claims, then we have a match. //Once an Issuer match is verified the list of required claims are checked. All required claims must //be present in the RequiredClaims ClaimSet, or the demand fails. if (principal != null && !principal.HasRequiredClaims(this.requiredClaims)) { throw new AccessDeniedException(ErrorFactory.CreateAndLogError(Errors.SRVEX20001, "ClaimsPrincipalPermission.CheckClaims", "Security principal does not satisfy required claims.", arguments: new object[] { identity.Name, principal.Claims.Select(c => c.Resource.ToString()).ToArray().Serialize(), requiredClaims.Select(c => c.Resource.ToString()).ToArray().Serialize() })); } }