How to: Create a Custom Authorization Attribute
[ This document was written for WCF Services Version 1 Service Pack 2 and might not be up to date Please see Release Notes or Changelog for a list of changes since WCF RIA Services ]
This topic demonstrates how to add a custom attribute for authorization. The Open Ria Services framework provides the RequiresAuthenticationAttribute and RequiresRoleAttribute attributes. These attributes enable you to easily specify which domain operations are only available to authenticated users or users in a specific role. In addition to these two attributes, you can create an attribute that represents customized authorization logic and then apply the attribute to domain operations.
When you expose a domain service, the domain service is available to everyone on the network. You cannot assume that your client application is the only application that will access the domain service. You can use customized authentication attributes to restrict access to domain operations even when the domain operation is accessed outside of your client application.
In this topic you create a custom authorization attribute by creating a class that derives from AuthorizationAttribute and overriding the IsAuthorized method to provide your customized logic. You can use the IPrincipal parameter and the AuthorizationContext parameter to access information that may be required within your customized authentication code. The AuthorizationContext object is null on query operations.

To create a customized authorization attribute

  1. 1.
    In the server project, create a class that derives from AuthorizationAttribute.
  2. 2.
    Override the IsAuthorized method and add logic for determining authorization.
    The following example shows a custom attribute named RestrictAccessToAssignedManagers that checks whether the authenticated user is the manager of the employee whose EmployeePayHistory record is being modified.
    ``` vb Public Class CheckAttendeeNameAttribute Inherits System.Web.DomainServices.AuthorizationAttribute
1
Public Overrides Function Authorize(ByVal principal As System.Security.Principal.IPrincipal) As Boolean
2
If (principal.IsInRole("Attendee") And principal.Identity.Name.StartsWith("A")) Then
3
Return True
4
Else
5
Return False
6
End If
7
End Function
8
End Class
9
```
10
​
11
``` vb
12
Public Class RestrictAccessToAssignedManagers
13
Inherits AuthorizationAttribute
14
​
15
Protected Overrides Function IsAuthorized(ByVal principal As System.Security.Principal.IPrincipal, ByVal authorizationContext As System.ComponentModel.DataAnnotations.AuthorizationContext) As System.ComponentModel.DataAnnotations.AuthorizationResult
16
Dim eph As EmployeePayHistory
17
Dim selectedEmployee As Employee
18
Dim authenticatedUser As Employee
19
​
20
eph = CType(authorizationContext.Instance, EmployeePayHistory)
21
​
22
Using context As New AdventureWorksEntities()
23
selectedEmployee = context.Employees.SingleOrDefault(Function(e) e.EmployeeID = eph.EmployeeID)
24
authenticatedUser = context.Employees.SingleOrDefault(Function(e) e.LoginID = principal.Identity.Name)
25
End Using
26
​
27
If (selectedEmployee.ManagerID = authenticatedUser.EmployeeID) Then
28
Return AuthorizationResult.Allowed
29
Else
30
Return New AuthorizationResult("Only the authenticated manager for the employee can add a new record.")
31
End If
32
End Function
33
End Class
34
```
35
​
36
``` csharp
37
public class CheckAttendeeNameAttribute : System.Web.DomainServices.AuthorizationAttribute
38
{
39
​
40
public override bool Authorize(System.Security.Principal.IPrincipal principal)
41
{
42
if (principal.IsInRole("Attendee") && principal.Identity.Name.StartsWith("A"))
43
{
44
return true;
45
}
46
else
47
{
48
return false;
49
}
50
}
51
}
52
```
53
​
54
``` csharp
55
public class RestrictAccessToAssignedManagers : AuthorizationAttribute
56
{
57
protected override AuthorizationResult IsAuthorized(System.Security.Principal.IPrincipal principal, AuthorizationContext authorizationContext)
58
{
59
EmployeePayHistory eph = (EmployeePayHistory)authorizationContext.Instance;
60
Employee selectedEmployee;
61
Employee authenticatedUser;
62
​
63
using (AdventureWorksEntities context = new AdventureWorksEntities())
64
{
65
selectedEmployee = context.Employees.SingleOrDefault(e => e.EmployeeID == eph.EmployeeID);
66
authenticatedUser = context.Employees.SingleOrDefault(e => e.LoginID == principal.Identity.Name);
67
}
68
​
69
if (selectedEmployee.ManagerID == authenticatedUser.EmployeeID)
70
{
71
return AuthorizationResult.Allowed;
72
}
73
else
74
{
75
return new AuthorizationResult("Only the authenticated manager for the employee can add a new record.");
76
}
77
}
78
}
79
```
Copied!
  1. 1.
    To perform the customized authorization logic, apply the custom authorization attribute to the domain operation.
    The following example shows the RestrictAccessToAssignedManagers attribute applied to a domain operation.
    1
    <RestrictAccessToAssignedManagers()> _
    2
    Public Sub InsertEmployeePayHistory(ByVal employeePayHistory As EmployeePayHistory)
    3
    If ((employeePayHistory.EntityState = EntityState.Detached) _
    4
    = False) Then
    5
    Me.ObjectContext.ObjectStateManager.ChangeObjectState(employeePayHistory, EntityState.Added)
    6
    Else
    7
    Me.ObjectContext.EmployeePayHistories.AddObject(employeePayHistory)
    8
    End If
    9
    End Sub
    Copied!
    1
    [RestrictAccessToAssignedManagers]
    2
    public void InsertEmployeePayHistory(EmployeePayHistory employeePayHistory)
    3
    {
    4
    if ((employeePayHistory.EntityState != EntityState.Detached))
    5
    {
    6
    this.ObjectContext.ObjectStateManager.ChangeObjectState(employeePayHistory, EntityState.Added);
    7
    }
    8
    else
    9
    {
    10
    this.ObjectContext.EmployeePayHistories.AddObject(employeePayHistory);
    11
    }
    12
    }
    Copied!
Last modified 6mo ago