I'm trying to evaluate whether to use classic Principal based authorization vs. IdentityModel authorization. It seems like Microsoft is recommending the latter these days, but I haven't seen enough in terms of maturity or support for it. Specifically, I really like the ability to set a PrincipalPermissionAttribute
and allow the framework to automatically take care of preventing unauthorized class instantiation and method calls.
I am already using a ServiceAuthorizationManager
and could perform evaluation there...but what about non-WCF scenarios? And what about preventing the instantiation of certain classes and preventing method calls within a WCF operation, not before it executes?
I am also already using an IoC mechanism and have contemplated using interceptors and a custom activator that performs claims based evaluation against a hypothetical RequiresClaimAttribute
on a class or method...but I'm not really fond of such an approach because it requires any objects that want authorization support to use the IoC container for resolution and construction...
So I guess my question is...is Microsoft's Windows Identity Foundation (aka IdentityModel framework) really mature enough to use at this point? Are there ways of accomplishing what I'm describing with IdentityModel?