WCF 4.0: IAuthorizationPolicy Evaluate() called after ServiceAuthorizationManager CheckAccessCore(): why?
I'm working on a WCF service that is hosted through a Windows Service. I have added my Custom Authorization Manager and Authorization Policy and I've seen that the Evaluate() method of Authorization Policy is actually called AFTER the CheckAccessCore() of the Authorization Manager: shouldn't be the opposite?
I've been searching on google and found some tips, but did not work for me (e.g.: link )
Here is a snip of the app.config:
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="Reply.Platform.IoTAccessControlLibrary.IoTPwdValidator, Reply.Platform.IoTAccessControlLibrary" />
</serviceCredentials>
<serviceAuthorization serviceAuthorizationManagerType="Reply.Platform.IoTAccessControlLibrary.IoTServiceAuthorizationManager, Reply.Platform.IoTAccessControlLibrary">
<authorizationPolicies>
<add policyType="Reply.Platform.IoTAccessControlLibrary.IoTAuthoriz开发者_Python百科ationPolicy, Reply.Platform.IoTAccessControlLibrary" />
</authorizationPolicies>
</serviceAuthorization>
Can someone help me?
Regards,
Gianpaolo
It is working exactly as intended. It comes down to this simple equation - If access should not be granted then there should be no need to check to see if the access being should be authorized. In the case of the example you are providing here, you would first validate the correct combination of a username/password pair and then you would check to see if they had access to the system. After you check to see if they have access to the system, you then evaluate whether or not they are authorized per the policies defined.
Consider this basic example:
1) Does the username and password match with a known user? Yes. (Service Credentials)
2) Is that known user enabled on the system? Yes. (Service Authorization)
3) Does that known user have the role of 'X'? Yes. (IAuthorizationPolicy)
Hence the workflow defined by WCF.
精彩评论