In the Windows Identity Foundation (WIF), there is a class called ClaimsPrincipalPermission
. The documentation on MSDN is very sparse. It states:
ClaimsPrincipalPermission represents the permission required to access a resource. ClaimsPrincipalPermission takes in a string that represents the resource to be accessed, and a string that represents the action to be performed on the resource. When Demand is called, the principal must have the permission to perform the specified action on the specified resource, or Demand throws an exception.
This is cool. It allows me to set an attribute on a function and make it so that only authorized users can call that function. I have no trouble getting this functionality to work.
However, there is another issue. I'm working on a web application with many features which only certain users are allowed to access. I wish to code my page to only display links to pages with functionality the logged in user is allowed to access.
The only way I see to do this with ClaimsPrincipalPermission is to do the following:
Dim foo As ClaimsPrincipalPermission foo = New ClaimsPrincipalPermission(resource:="SECRET_FUNCTION", action:="EXECUTE") Try foo.Demand() response.write(Link_To_Execute_Secret_Function) Catch ex As Exception response.write("No access to Secret Function") End Try
My supervisor has made it very clear to me that such "coding by exception" is unacceptable. I'm certain that I could encapsulate this sort of thing in a small library, but I'd like to know how WIF is intended to be used for this.
By the way, I am aware that WIF allows me to automatically check for access to specific web pages, but the architect of this project wants to specify names of functions to be restricted, not web page URLs.
What's the best thing to do?
UPDATE
So far, the best thing I've found is to encapsulate the programming by exception to mitigate the consequences...