views:

31

answers:

1

In the Windows Identity Foundation (WIF), there is a class called ClaimsPrincipalPermission. The documentation on MSDN is very sparse. It states:

ClaimsPrincipalPermission represents the permission required to access a resource. ClaimsPrincipalPermission takes in a string that represents the resource to be accessed, and a string that represents the action to be performed on the resource. When Demand is called, the principal must have the permission to perform the specified action on the specified resource, or Demand throws an exception.

This is cool. It allows me to set an attribute on a function and make it so that only authorized users can call that function. I have no trouble getting this functionality to work.

However, there is another issue. I'm working on a web application with many features which only certain users are allowed to access. I wish to code my page to only display links to pages with functionality the logged in user is allowed to access.

The only way I see to do this with ClaimsPrincipalPermission is to do the following:

   Dim foo As ClaimsPrincipalPermission
    foo = New ClaimsPrincipalPermission(resource:="SECRET_FUNCTION", action:="EXECUTE")
    Try
        foo.Demand()
        response.write(Link_To_Execute_Secret_Function)
    Catch ex As Exception
        response.write("No access to Secret Function")
    End Try

My supervisor has made it very clear to me that such "coding by exception" is unacceptable. I'm certain that I could encapsulate this sort of thing in a small library, but I'd like to know how WIF is intended to be used for this.

By the way, I am aware that WIF allows me to automatically check for access to specific web pages, but the architect of this project wants to specify names of functions to be restricted, not web page URLs.

What's the best thing to do?

UPDATE

So far, the best thing I've found is to encapsulate the programming by exception to mitigate the consequences...

A: 

What users/roles/whatever can get to certain pages is stored in a table somewhere? And if so, do you have access to it? Are the user permissions to certain functions also in the database? If yes, yes and yes, then you want to render your links on pages more directly from the db through your own object model, rather than through WIF. This would be very clean. Coding up your menu options (which I assume has to be done on every page?) from information from WIF sounds tedious and bulky.

Patrick Karcher