WIF Claims-based authorization configuration

Oct 19, 2012 at 1:18 PM

Hi Richard,

We are looking at configuring a large number of roles for claims-based authorisation.

Can you tell me if:

  1. It's possible to store the configuration settings outside of the web.config in a separate file
  2. It's possible to set a role authorisation on the class level only instead of member by member?

Thanks very much,

John

Coordinator
Oct 19, 2012 at 1:39 PM
Edited Oct 19, 2012 at 1:40 PM

John

First, a general comment.  We (NOG) have very little experience of WIF  -  and none of using it in production.  The WIF authoriser that is included in the framework is really intended as an illustration of how to implement a WIF authoriser, not as a production solution itself.

Given the scale of the system that I know you are involved in I would suggest that you should really be looking at writing your own WIF authoriser  -  by all means using the source code of ours as a reference or even a start point.  

This would then allow you to decide for yourself:

- How you  wanted to represent the permissions incl. putting them in a separate file as distinct from the web.config.  Personally, I don't think you should be storing them in a file as XML at all.  I think you should store all this permissions info in a proper database  -  or even in AD.

- How to specify the authorisations e.g. at member level, class level, or combination of the two.  This is definitely possible.  For example, using the default authoriser in Naked Objects (i.e. not WIF at all) then you can do attribute-based authorisation at both member and class level (the latter only came in with v5.0 of Naked Objects).  So, again, you could look at the code for our default authoriser to see how that is done  -  or just write it yourself.

N.B. I assume you are working with v5.0 now anyway  -  because we did make some big improvements to authorization to simplify the task of 'rolling your own'.

Richard