CustomValidator and CustomIPrincipal

Greetings

I need to be able to:
- validate credentials against our own store (done)
- create an existing user object based on the store (done)
- create a custom Identity with an extra property that contains the user
object. (done)

I can do all three of those steps individually, but I'm having trouble with
some WCF implementation details. Where do I do which step?

I've been all over google and have found a lot of good information for this,
but a lot of it is from pre-release and doesn't necessarily apply anymore. I
also found this excellent post:

http://groups.google.co.uk/group/mic...40905d321cce17


When the CustomValidator is called, I have what I need (username and
password) to recreate our user object. However, I can't set the thread
principal or PrimaryPrincipal at that point because, apparently, that's not
the thread that the service method executes on. (Additionally, I don't see
how to set the PrimaryPrincipal yet. I saw examples using a properties
collection, but those were pre release and have notes that say they won't
work any more). I'd prefer to use the thread principal because that would
allow it to play well with the other kids.

Based on reading, it seems the place to set the principal is in the
Authorization Policy, but at that point I don't have the username and
password so I can't create the object.

If that strategy is correct, then how do I persiste an object between the
CustomValidator to the Authorization Policy?

I'm using the "Programming WCF Services" book, which is good. Any
recommendations for another good one?

Thanks in advance for your help.
Jay

Correction: I see now that CustomValidator does execute in the same thread
as the service method. However, the principal I set in the validator is
overwritten by a windows principal by the time it gets to the methods.


"Jay Allard" <jay@allardworks.com> wrote in message
news:7cudnZXVes5rYa3bnZ2dnUVZ_hKdnZ2d@adelphia.com...
> Greetings
>
> I need to be able to:
> - validate credentials against our own store (done)
> - create an existing user object based on the store (done)
> - create a custom Identity with an extra property that contains the user
> object. (done)
>
> I can do all three of those steps individually, but I'm having trouble
> with some WCF implementation details. Where do I do which step?
>
> I've been all over google and have found a lot of good information for
> this, but a lot of it is from pre-release and doesn't necessarily apply
> anymore. I also found this excellent post:
>
> http://groups.google.co.uk/group/mic...40905d321cce17
>
>
> When the CustomValidator is called, I have what I need (username and
> password) to recreate our user object. However, I can't set the thread
> principal or PrimaryPrincipal at that point because, apparently, that's
> not the thread that the service method executes on. (Additionally, I don't
> see how to set the PrimaryPrincipal yet. I saw examples using a properties
> collection, but those were pre release and have notes that say they won't
> work any more). I'd prefer to use the thread principal because that would
> allow it to play well with the other kids.
>
> Based on reading, it seems the place to set the principal is in the
> Authorization Policy, but at that point I don't have the username and
> password so I can't create the object.
>
> If that strategy is correct, then how do I persiste an object between the
> CustomValidator to the Authorization Policy?
>
> I'm using the "Programming WCF Services" book, which is good. Any
> recommendations for another good one?
>
> Thanks in advance for your help.
> Jay
>

In the validator you have access to name and password for the purposes
of authentication
In the authorization policy you have access to the name (but not
password) for the purpose of creating a custom principal; look for an
"Identities" property on the evaluation context, and enumerate each;
one of them will be authenticated and will have an authentication type
of your validator; from the name you should be able to construct a new
principal with the roles and assign the Principal property. Something
like:

bool IAuthorizationPolicy.Evaluate(EvaluationContext
evaluationContext, ref object state)
{
IList<IIdentity> idents;
object identsObject;
if
(evaluationContext.Properties.TryGetValue("Identities", out
identsObject) && (idents = identsObject as IList<IIdentity>) != null)
{
foreach (IIdentity ident in idents)
{
if (ident.IsAuthenticated &&
ident.AuthenticationType == MyTrustedAuthType)
{
evaluationContext.Properties["Principal"]
= {new principal from ident.Name}
return true; // we're done
}
}
}
if (!
evaluationContext.Properties.ContainsKey("Principal"))
{
evaluationContext.Properties["Principal"] = Anon;
}
return false; // keep trying

}

That worked great. Thanks for your help.

Stay tuned. I'm sure I'll be back.

Jay


<marc.gravell@gmail.com> wrote in message
news:1177630355.104557.128830@b40g2000prd.googlegroups.com...
> In the validator you have access to name and password for the purposes
> of authentication
> In the authorization policy you have access to the name (but not
> password) for the purpose of creating a custom principal; look for an
> "Identities" property on the evaluation context, and enumerate each;
> one of them will be authenticated and will have an authentication type
> of your validator; from the name you should be able to construct a new
> principal with the roles and assign the Principal property. Something
> like:
>
> bool IAuthorizationPolicy.Evaluate(EvaluationContext
> evaluationContext, ref object state)
> {
> IList<IIdentity> idents;
> object identsObject;
> if
> (evaluationContext.Properties.TryGetValue("Identities", out
> identsObject) && (idents = identsObject as IList<IIdentity>) != null)
> {
> foreach (IIdentity ident in idents)
> {
> if (ident.IsAuthenticated &&
> ident.AuthenticationType == MyTrustedAuthType)
> {
> evaluationContext.Properties["Principal"]
> = {new principal from ident.Name}
> return true; // we're done
> }
> }
> }
> if (!
> evaluationContext.Properties.ContainsKey("Principal"))
> {
> evaluationContext.Properties["Principal"] = Anon;
> }
> return false; // keep trying
>
> }
>