tags:

views:

40

answers:

1
+2  Q: 

Applying custom claims in claims based application

I would like to grant document level permission based on custom claims in claims based web site. A user may have hundreds of document or one. Is it a good idea to apply custom claims? What is the avantages or disadvantages? Is there a limit on the number of claims that can be added to the claim set?

Thanks in advance for your help.

+1  A: 

Even though it is possible, it is usually a good idea to keep claims "coarse grained". By default, in a web app, the claimset will be sent back and forth on each request (as it is serialized in cookies), so you will have a potentially rather large payload going across the network.

You can override this by configuring WIF to use "session" as opposed to cookies, but...you get all the disadvantages of server side session (e.g. configuration for WebFarms, affinity, etc)

The other thing to consdier with this approach is the maintenace of that knowledge in the STS. You will need to keep a rather large set of rules to issue these claims that are likely to change often.

You definitely don't want all these in a central infrastructure STS as it will become the bottleneck of potentially large set of apps. So you will end up putting all these logic into a RP-STS (and STS that is associated with your app). Not impossible, but probably inconvenient.

Typically, the biggest advantage of a "permission" claim is that the Authorization manager is tricial to write:

if( PrincipalContainsDocumentClaim( documentYouAreTryingToOpen )
  ShowDocument(documentYouAreTryingToOpen );
else
  AccessDenied(documentYouAreTryingToOpen );

I think a better approach is to have an authorization manager that is able to answer the questions:

bool HasAccess( IPrincipal p, string document )

Inside that component you'd use the claimset to decide whether user has access or not. That logic might include mapping of roles, usersnames, and maybe other "higher order" claims (e.g. the org you belong, the country you are in, etc) into permissions.

Another problem of "permission claims" is that if you make a change (e.g you grant access to logged in user) how do you refresh the claimset? You'd have to logoff-logon which is normally not a great user experience.

Eugenio Pace  2010-09-10 12:43:26
Thanks Eugenio for detailed explanation and that is right the performance would be the major issue and it is better to use custom claims for high level attributes. The way I was trying to assign permission using custom claims is by using SPRoleDefinition and SPRoleAssignment. Where can I get some more examples on using Authorization manager, PrincipalContainsDocumentClaim ? Thanks again
aYus  2010-09-13 14:47:06

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?