All geek questions in one place

Where is the best place to install a user principal / ID?

I work on a website (using ASP.NET C #) that uses both form-based and claims-based authentication. I would like to override the ClaimsIdentity class in order to implement the IsAuthenticated native method and add additional properties for the claim-specific identifier.

I am currently implementing a custom WSFederationAuthentionModule method, but I was trying to figure out which module I should override (in particular, which method) so that I could set my user ID / main, and not the standard ClaimsPrincipal.

So far, I have looked at both the SessionAuthenticationModule and the ClaimsPrincipalHTTPModule, but I could not understand at what stage the principle / best way to redefine it was given.

thanks

Addendum: Since I am new to this, let me be sure that it is correct: the way to establish an identity is to establish a user principle that is configured to use this identifier:

System.Threading.Thread.CurrentPrincipal = customClaimsPrincipal;

Alternatively, if a custom principle is not needed, the ClaimPrincipal class can be constructed using the ClaimsIdentityCollection.

+4
source share
2 answers

There are several places where you can do this, but if you use the SessionAuthenticationModule , some of the processes are not well documented, which can be done using a custom main element. The rest of this answer explains one possible way to handle this when using the SessionAuthenticationModule .

Cancel the SessionAuthenticationModule.SetPrincipalFromSessionToken method.

The SessionAuthenticationModule module stores the security token, principal, identifiers and claims in a cookie and cache in memory to avoid the need to make circular trips to the identification / token service with each request. What is not well documented is having a cache and checking its first place, then a cookie and restrictions on serializing ClaimsPrincipal .

If you have already set the user principle in ClaimsAuthenticationManager.Authenticate and the cache is intact, your user manager will most likely be there, since the cache stores its own .NET objects. If you have not yet set up a custom principle or the cache is not full, then the security token will be retrieved from the FedAuth session cookie.

When a token is serialized / deserialized to / from a cookie, the process uses custom serialization, which is able to read and write attributes of the IClaimsPrincipal and IClaimsIdentity (or the ClaimsPrinicpal and ClaimsIdentity classes - I don’t remember which one). Any custom attributes of the main and identification objects will not be included. It may be possible to override serialization, but this requires several (3 IIRC) more layers of class override.

You also need to know that the basic SetPrincipalFromSessionToken method creates a new ClaimsPrincipal object and sets it in the stream and context, so even if the sessionSecurityToken parameter contains a user-defined main object, it will be transferred back to the ClaimsPrincipal object.

Here is an example of an override method:

 protected override void SetPrincipalFromSessionToken(SessionSecurityToken sessionSecurityToken) { SessionSecurityToken newToken = MyClaimsPrincipalUtility.CreateCustomClaimsPrincipalToken(sessionSecurityToken); base.SetPrincipalFromSessionToken(newToken); //the following lines need to be set after the base method call, because the base method overwrites the Principal object HttpContext.Current.User = newToken.ClaimsPrincipal; Thread.CurrentPrincipal = newToken.ClaimsPrincipal; }

The implementation of the base class ( SessionAuthenticationModule ) is as follows. Thus, there are several different ways that you can achieve redefinition and get the basic principle of assignment.

 protected virtual void SetPrincipalFromSessionToken(SessionSecurityToken sessionSecurityToken) { IClaimsPrincipal fromIdentities = ClaimsPrincipal.CreateFromIdentities(this.ValidateSessionToken(sessionSecurityToken)); HttpContext.Current.User = (IPrincipal) fromIdentities; Thread.CurrentPrincipal = (IPrincipal) fromIdentities; //tracing code removed this.ContextSessionSecurityToken = sessionSecurityToken; }

And just in case you are interested, here is the base class implementation for SessionAuthenticationModule.ContextSessionSecurityToken .

 public virtual SessionSecurityToken ContextSessionSecurityToken { get { return (SessionSecurityToken) HttpContext.Current.Items[(object) typeof (SessionSecurityToken).AssemblyQualifiedName]; } internal set { HttpContext.Current.Items[(object) typeof (SessionSecurityToken).AssemblyQualifiedName] = (object) value; } }
+3
source

You are correct that HttpModules is the path to expansion, but make sure that any logic you implement does not interfere with the performance of your application. After adding too many HttpModules to the application, I had websites that crashed badly. Perhaps you should cache the results of your queries, depending on the auth model you are using.

You need to find out under what conditions you need to use your ClaimsPrincipal order. Until you do this, you tremble in the dark. Are there specific URLs for which you need requirement authentication?

+1
source

Source: https://habr.com/ru/post/1345869/

More articles:


All Articles