Hello. What is the best way to achieve application authorization and entitlement in .Net. Earlier AzMan use to be the standard way. With the advent of provider model, at least roles are taken care of but I am not sure about the authorization & entitlement. I am looking at the ability to define and access operation level permissions for roles / users. What is the most suitable way to achieve the above?
According to this blog post the ClaimsAuthorizationManager API is 'next generation of AzMan'. It's just an API however, and doesn't come with a default implementation or an admin GUI, so it's not yet really a direct replacement.
The WIF/ Geneva stuff still doesn't seem as "mature" as AzMan. We have been using AzMan for about 3 years now, and our implementation has evolved from a straight link into the azman.dll through to a WCF based service which serves up roles and operations. The WCF service services WinForms, WPF clients and I'm now in the process of getting it to work with Silverlight. I don't see us switching from AzMan an time soon, at least not until a front end is produced to set up the WIF roles, operations etc like that provided for free in azman....
As for the details, well we have our azman store in Active Directory and a .net dll built that provides a .net wrapper around the ugly COM azroles.dll. On top of this we have a WCF service that basically just passes the requests for roles and operations straight thru to the .net azman dll. Roles and operations etc are returned as string arrays for the client to handle. There are two ways of doing authentication by the service. Either through 1) anonymous authentication, or 2) windows authentication (pass-thru). This means that if you supply a username and password then anonymous authentication is used which first uses these strings to Authenticate you. If pass-thru/Windows Authentication is used then the WCF service already knows that you are an authenticated windows user... There could be an argument for splitting the anon and windows authentication into two seperate services...
Generally the winforms and WPF clients use the windows authentication to pass through and get the available roles, whilst the Silverlight clients use anonymous authentication...