I am using WIF to secure my WCF service with claims-based security. I would like to implement some simple attributes that can decorate service methods to specify the claims required for a particular operation.
I've started by implementing an IParameterInspector which I apply using a custom IServiceBehavior attribute:
public void ApplyDispatchBehavior(
ServiceDescription serviceDescription,
ServiceHostBase serviceHostBase) {
var parameterInspector =
new ClaimsAuthorizationParameterInspector(
serviceDescription.ServiceType);
foreach (ChannelDispatcher channelDispatcher in serviceHostBase.ChannelDispatchers) {
foreach (var endpointDispatcher in channelDispatcher.Endpoints) {
foreach (DispatchOperation operation in endpointDispatcher.DispatchRuntime.Operations) {
operation.ParameterInspectors.Add(parameterInspector);
}
}
}
}
Inside the inspector I intend to look up my custom authorization attributes for the current operation, and then validate the claims required against the current identity. However, the problem I am having is that I do not seem to be able to access the current ClaimsPrincipal from within the inspector. I've tried inspecting:
- Thread.CurrentPrincipal (set to GenericPrincipal)
- OperationContext.Current.ClaimsPrincipal (set to null)
- ServiceSecurityContext.Current.PrimaryIdentity (set to GenericPrincipal)
I have configured the service with principalPermissionMode="Always", and the Thread.CurrentPrincipal is always correctly set by the time I actually enter into the service code.
How can I access the correct ClaimsPrincipal, without having to manually create it from the incoming token, at this point in the pipeline? Is there an alternative way I could implement these attributes instead of using a ParameterInspector?
