My understanding is that an IAuthorizationPolicy (added through my web.config) should be called BEFORE my ServiceAuthorizationManage.CheckAccessCore (also added through my web.config). (I also have principal authorization mode set to Custom in the web.config).
This way, the IAuthorizationPolicy can add a ClaimSet, then the ServiceAuthorizationManager can return true or false based on the presence of that ClaimSet.
Problem is, that's not happening. My ServiceAuthorizationManager.CheckAccessCore is actually being called BEFORE my IAuthorizationPolicy.Evaluate.
I actually didn't even think IAuthorizationPolicy.Evaluate was being called at all, because my ServiceAuthorizationManager was returning false (because no ClaimSet was present) and the client was getting Access Denied right away. Then I changed ServiceAuthorizationManager.CheckAccessCore to return true unconditionally and found that my breakpoint in the IAuthorizationPolicy.Evaluate was hit immediately after.
What's going on here? Any ideas? Could it have something to do with hosting my service in ASP .NET Compatibility mode?
Thanks.