Note

Access to this page requires authorization. You can try signing in or .

Access to this page requires authorization. You can try .

ServiceAuthorizationManager.CheckAccess Method

Definition

Namespace:
System.ServiceModel
Assembly:
System.ServiceModel.dll

Important

Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Checks authorization for the given operation context and optional message.

Overloads

Name Description
CheckAccess(OperationContext)

Checks authorization for the given operation context.
CheckAccess(OperationContext, Message)

Checks authorization for the given operation context when access to a message is required.

CheckAccess(OperationContext)

Checks authorization for the given operation context.

public:
 virtual bool CheckAccess(System::ServiceModel::OperationContext ^ operationContext);
public virtual bool CheckAccess(System.ServiceModel.OperationContext operationContext);
abstract member CheckAccess : System.ServiceModel.OperationContext -> bool
override this.CheckAccess : System.ServiceModel.OperationContext -> bool
Public Overridable Function CheckAccess (operationContext As OperationContext) As Boolean

Parameters

operationContext
OperationContext

The OperationContext.

Returns

true if access is granted; otherwise, false. The default is true.

Examples

The following code shows how to override this method to enforce custom access control requirements.

public class myServiceAuthorizationManager : ServiceAuthorizationManager
{
 // Override the CheckAccess method to enforce access control requirements.
 public override bool CheckAccess(OperationContext operationContext)
 {
 AuthorizationContext authContext =
 operationContext.ServiceSecurityContext.AuthorizationContext;
 if (authContext.ClaimSets == null) return false;
 if (authContext.ClaimSets.Count != 1) return false;
 ClaimSet myClaimSet = authContext.ClaimSets[0];
 if (!IssuedBySTS_B(myClaimSet)) return false;
 if (myClaimSet.Count != 1) return false;
 Claim myClaim = myClaimSet[0];
 if (myClaim.ClaimType ==
 "http://www.tmpuri.org:accessAuthorized")
 {
 string resource = myClaim.Resource as string;
 if (resource == null) return false;
 if (resource != "true") return false;
 return true;
 }
 else
 {
 return false;
 }
 }

 // This helper method checks whether SAML Token was issued by STS-B.
 // It compares the Thumbprint Claim of the Issuer against the
 // Certificate of STS-B.
 private bool IssuedBySTS_B(ClaimSet myClaimSet)
 {
 ClaimSet issuerClaimSet = myClaimSet.Issuer;
 if (issuerClaimSet == null) return false;
 if (issuerClaimSet.Count != 1) return false;
 Claim issuerClaim = issuerClaimSet[0];
 if (issuerClaim.ClaimType != ClaimTypes.Thumbprint)
 return false;
 if (issuerClaim.Resource == null) return false;
 byte[] claimThumbprint = (byte[])issuerClaim.Resource;
 // It is assumed that stsB_Certificate is a variable of type
 // X509Certificate2 that is initialized with the Certificate of
 // STS-B.
 X509Certificate2 stsB_Certificate = GetStsBCertificate();
 byte[] certThumbprint = stsB_Certificate.GetCertHash();
 if (claimThumbprint.Length != certThumbprint.Length)
 return false;
 for (int i = 0; i < claimThumbprint.Length; i++)
 {
 if (claimThumbprint[i] != certThumbprint[i]) return false;
 }
 return true;
 }

Public Class myServiceAuthorizationManager
 Inherits ServiceAuthorizationManager

 ' Override the CheckAccess method to enforce access control requirements.
 Public Overloads Overrides Function CheckAccess(ByVal operationContext As OperationContext) As Boolean
 Dim authContext = operationContext.ServiceSecurityContext.AuthorizationContext
 If authContext.ClaimSets Is Nothing Then
 Return False
 End If

 If authContext.ClaimSets.Count <> 1 Then
 Return False
 End If

 Dim myClaimSet = authContext.ClaimSets(0)
 If Not IssuedBySTS_B(myClaimSet) Then
 Return False
 End If
 If myClaimSet.Count <> 1 Then
 Return False
 End If
 Dim myClaim = myClaimSet(0)
 If myClaim.ClaimType = "http://www.tmpuri.org:accessAuthorized" Then
 Dim resource = TryCast(myClaim.Resource, String)
 If resource Is Nothing Then
 Return False
 End If
 If resource <> "true" Then
 Return False
 End If
 Return True
 Else
 Return False
 End If
 End Function

 ' This helper method checks whether SAML Token was issued by STS-B. 
 ' It compares the Thumbprint Claim of the Issuer against the 
 ' Certificate of STS-B. 
 Private Function IssuedBySTS_B(ByVal myClaimSet As ClaimSet) As Boolean
 Dim issuerClaimSet = myClaimSet.Issuer
 If issuerClaimSet Is Nothing Then
 Return False
 End If
 If issuerClaimSet.Count <> 1 Then
 Return False
 End If
 Dim issuerClaim = issuerClaimSet(0)
 If issuerClaim.ClaimType <> ClaimTypes.Thumbprint Then
 Return False
 End If
 If issuerClaim.Resource Is Nothing Then
 Return False
 End If
 Dim claimThumbprint() = CType(issuerClaim.Resource, Byte())
 ' It is assumed that stsB_Certificate is a variable of type 
 ' X509Certificate2 that is initialized with the Certificate of 
 ' STS-B.
 Dim stsB_Certificate = GetStsBCertificate()
 Dim certThumbprint() = stsB_Certificate.GetCertHash()
 If claimThumbprint.Length <> certThumbprint.Length Then
 Return False
 End If
 For i = 0 To claimThumbprint.Length - 1
 If claimThumbprint(i) <> certThumbprint(i) Then
 Return False
 End If
 Next i
 Return True
 End Function

Remarks

In general, applications should override CheckAccessCore instead of this method.

Override CheckAccess if the application associates or introduces a different set of policies for the resulting ServiceSecurityContext or provide a different policy evaluation (chaining) model.

This method is responsible for calling CheckAccessCore.

Applies to

CheckAccess(OperationContext, Message)

Checks authorization for the given operation context when access to a message is required.

public:
 virtual bool CheckAccess(System::ServiceModel::OperationContext ^ operationContext, System::ServiceModel::Channels::Message ^ % message);
public virtual bool CheckAccess(System.ServiceModel.OperationContext operationContext, ref System.ServiceModel.Channels.Message message);
abstract member CheckAccess : System.ServiceModel.OperationContext * Message -> bool
override this.CheckAccess : System.ServiceModel.OperationContext * Message -> bool
Public Overridable Function CheckAccess (operationContext As OperationContext, ByRef message As Message) As Boolean

Parameters

operationContext
OperationContext

The OperationContext.

message
Message

The Message to be examined to determine authorization.

Returns

true if access is granted; otherwise, false. The default is true.

Examples

The following code shows how to override this method to enforce custom access control requirements that require access to the message body.

public class myService_M_AuthorizationManager : ServiceAuthorizationManager
{
 // set max size for message
 int someMaxSize = 16000;
 protected override bool CheckAccessCore(OperationContext operationContext, ref Message message)
 {
 bool accessAllowed = false;
 MessageBuffer requestBuffer = message.CreateBufferedCopy(someMaxSize);

 // do access checks using the message parameter value and set accessAllowed appropriately
 if (accessAllowed)
 {
 // replace incoming message with fresh copy since accessing the message consumes it
 message = requestBuffer.CreateMessage();
 }
 return accessAllowed;
 }
}

Public Class myService_M_AuthorizationManager
 Inherits ServiceAuthorizationManager

 ' set max size for message
 Private someMaxSize As Integer = 16000

 Public Overrides Function CheckAccess(ByVal operationContext As OperationContext, _
 ByRef message As Message) As Boolean
 Dim accessAllowed = False
 Dim requestBuffer = Message.CreateBufferedCopy(someMaxSize)

 ' do access checks using the message parameter value and set accessAllowed appropriately
 If accessAllowed Then
 ' replace incoming message with fresh copy since accessing the message consumes it
 Message = requestBuffer.CreateMessage()
 End If
 Return accessAllowed
 End Function
End Class

Remarks

In general, applications should override CheckAccessCore instead of this method, which should only be used if the authorization decision depends on the message body. Because of performance issues, if possible you should redesign your application so that the authorization decision does not require access to the message body.

Override this method if the application associates or introduces a different set of policies for the resulting ServiceSecurityContext and Message or provide a different policy evaluation (chaining) model.

This method is responsible for calling CheckAccessCore.

Applies to

Feedback

Was this page helpful?