How to Assign the Current Principal with IAuthorizationPolicy to Allow Authorization Using Custom Authentication

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

If your application uses a custom authentication, you will need to create a class that derives from IAuthorizationPolicy. In this class you will retrieve the principal from the cache that was created by the custom authentication, or from the store based on the user name, so WCF can authorize the user. After you get the principal you assign it to EvaluationContext.Properties“principal” and the identity to the EvaluationContext.Properties"Identities".
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IdentityModel.Claims;
using System.IdentityModel.Policy;
using System.Web;
using System.Security.Principal;
using CustomAuthenticator;

namespace AuthorizationPolicy
    public class AuthorizationPrincipalPolicy : IAuthorizationPolicy
        public bool Evaluate(EvaluationContext evaluationContext, ref 
        object state)

            object obj;
            if (!evaluationContext.Properties.TryGetValue("Identities",
                out obj))
                return false;
            IList<IIdentity> identities = obj as IList<IIdentity>;

            // make sure there is already a default identity
            if (identities == null || identities.Count <= 0)
                return false;

            string username = identities[0].Name;

            //get the principal from the cache or build another one  

            IPrincipal principal = 

            if (principal == null)
                string[] roles = 
                principal = new GenericPrincipal(new 
                GenericIdentity(username, "Custom Provider"), roles);
            evaluationContext.Properties["Principal"] = principal;
            evaluationContext.Properties["Identities"] =
                   new List<IIdentity>() { principal.Identity };

            return true;

        public System.IdentityModel.Claims.ClaimSet Issuer
            get { return ClaimSet.System; }

        public string Id
            get { return "ContextPrincipalPolicy"; }

The Policy library is configured in the web.config or app.config configuration file or in code. The following example configures the policy location in the config file. Define the custom authorization policy type in the add element policyType attribute.
<serviceAuthorization serviceAuthorizationManagerType="Microsoft.ServiceModel.Samples.MyServiceAuthorizationManager, service">
<!-- The serviceAuthorization behavior allows one to specify custom authorization policies. -->
<add policyType="Microsoft.ServiceModel.Samples.CustomAuthorizationPolicy.MyAuthorizationPolicy, PolicyLibrary" />

Additional Resources

Last edited Jun 13, 2008 at 6:28 PM by prashantbansode, version 1


No comments yet.