Hello,
I have a simple authorization setup that checks for certain configured active directory roles in a custom authorization policy (IAuthorizationPolicy) - and adds claims if those roles are possessed. On top of that, I have a subclass of ServiceAuthorizationManager which overrides CheckAccessCore. It verifies possession of some of the claims that were added in the evaluation of the custom authorization policy in order to confirm or deny an incoming message.
So, the setup of these components is working fine in my service - my question is around when they are called / the lifetime of objects associated with them. My subclassed ServiceAuthorizationManager is being called for every call made to the service - this is what I expected. However, my custom authorization policy is also being called in every call to the service - which is not what I expected. I can see with every call to the service, a new AuthorizationContext object is generated.
I think my expectations were based on the following: The AuthorizationContext would be created after authentication takes place - and this wouldn't happen every time the service is called because the client is connecting on a NetTcpBinding, on the same proxy with each call (and I thought with the same open socket on the transport), using transport security with windows credentials, with a service session instance.
So, what I expected overall was that the AuthorizationContext would be generated only when a new session is created, or when the old AuthorizationContext object expired according to its ExpirationTime property (not on every call to the service).
So, if someone could tell me what the reality of the situation is for the lifetime of the AuthorizationContext object - or perhaps tell me how to change the service to get it to behave the way I expected, I would very much appreciate it.
For context - if it makes any difference - I'm still using the 3.0 CLR libraries.
Thanks