I have code similar to the snippet below (taken from http://leastprivilege.com/2009/05/24/use-geneva-session-management-for-your-own-needs/)
public class Transformer : ClaimsAuthenticationManager
{
public override IClaimsPrincipal Authenticate(string endpointUri, IClaimsPrincipal incomingPrincipal)
{
var claimName = "customClaimType";
// expensive operation
var claimValue = [from expensive operation];
incomingPrincipal.Identities[0].Claims.Add(new
Claim(claimName, claimValue));
return incomingPrincipal;
}
}
And in the article (http://leastprivilege.com/2009/05/24/use-geneva-session-management-for-your-own-needs/), Dominick points out that if we don't want to retrieve these (expensive) claims from a data store on every request then we can make use of the SAM (SessionAuthenticationModule). However, couldn't we just check to see if this claim already exists for the identity and then only fetch the claim if it doesn't exist? Wouldn't this solve the performance concern?
public class Transformer : ClaimsAuthenticationManager
{
public override IClaimsPrincipal Authenticate(string endpointUri, IClaimsPrincipal incomingPrincipal)
{
var claimName = "customClaimType";
if(incomingPrincipal.Identities[0].Claims.Where(x => x.ClaimType == claimName).Count() <= 0)
{
// expensive operation
var claimValue = [from expensive operation];
incomingPrincipal.Identities[0].Claims.Add(new
Claim(claimName, claimValue));
}
return incomingPrincipal;
}
}
I don't understand why we have to resort to the SessionAuthenticationModule. So I tried the above code on my local machine and I stepped through it to verify that for subsequent requests (after the initial one), the expensive operation doesn't get called. Now I'm not sure if this will be the case in a load-balanced environment (web farm) or in a truly federated group involving multiple relying parties sharing a single-sign-on structure.
I would really appreciate an explanation that would help me understand this better.
Thanks! -Karthi.
