I'm trying to use claims to control access to a resource in MVC. I'm struggling though when I try and protect resource with an argument. For example, if I want to allow edit actions to be performed vehicles they own and have claims for:
I add claims:
http://tempuri/registration: AA11XXhttp://tempuri/registration: BB11YY
The I have an MVC Action such as:
[ClaimsPrincipalPermission(SecurityAction.Demand,Operation = "Post", Resource = "Vehicle/{registration}")]
public ActionResult Edit(string registration)
{
//Stuff
}
I want to make sure that the parameter being passed into the Edit method is on the list of claims for registrations. I know I can do this imperatively inside the action, but I want to do it declaratively.
I can use the WIF pipeline override the CheckAccess method.
public class AuthorisationManager : ClaimsAuthorizationManager
{
public override bool CheckAccess(AuthorizationContext context)
{ ... }
AuthorizationContext includes the resource requested, and the claims the user has. The missing link is knowing what parameter was passed into MVC action.
Is there a way of doing this, or am I approaching the whole thing the wrong way?
Thanks a lot,
Paul
