尝试了解 AuthorizationContext 对象的生命周期

发布于 2024-08-03 16:11:03 字数 808 浏览 7 评论 0原文

我有一个简单的授权设置,用于检查自定义授权策略 (IAuthorizationPolicy) 中某些配置的活动目录角色 - 并在拥有这些角色时添加声明。最重要的是,我有一个 ServiceAuthorizationManager 的子类,它覆盖了 CheckAccessCore。它验证对自定义授权策略评估中添加的一些声明的拥有权,以便确认或拒绝传入消息。

因此,这些组件的设置在我的服务中运行良好 - 我的问题是它们何时被调用/与它们关联的对象的生命周期。每次对服务进行调用时都会调用我的子类 ServiceAuthorizationManager - 这是我所期望的。但是,每次调用服务时也会调用我的自定义授权策略 - 这不是我所期望的。我可以看到每次调用服务时都会生成一个新的 AuthorizationContext 对象。

我认为我的期望基于以下几点: AuthorizationContext 将在身份验证发生后创建 - 并且每次调用服务时都不会发生这种情况,因为客户端连接到 NetTcpBinding,每次调用都在同一个代理上(我认为在传输上使用相同的打开套接字),使用带有 Windows 凭据的传输安全性和服务会话实例。

因此,我总体期望的是,仅当创建新会话时,或者当旧的 AuthorizationContext 对象根据其 ExpirationTime 属性过期时(不是在每次调用服务时),才会生成 AuthorizationContext。

因此,如果有人可以告诉我 AuthorizationContext 对象生命周期的实际情况是什么,或者告诉我如何更改服务以使其按照我预期的方式运行,我将非常感激。

对于上下文 - 如果有什么区别 - 我仍在使用 3.0 CLR 库。

谢谢

I have a simple authorization setup that checks for certain configured active directory roles in a custom authorization policy (IAuthorizationPolicy) - and adds claims if those roles are possessed. On top of that, I have a subclass of ServiceAuthorizationManager which overrides CheckAccessCore. It verifies possession of some of the claims that were added in the evaluation of the custom authorization policy in order to confirm or deny an incoming message.

So, the setup of these components is working fine in my service - my question is around when they are called / the lifetime of objects associated with them. My subclassed ServiceAuthorizationManager is being called for every call made to the service - this is what I expected. However, my custom authorization policy is also being called in every call to the service - which is not what I expected. I can see with every call to the service, a new AuthorizationContext object is generated.

I think my expectations were based on the following:
The AuthorizationContext would be created after authentication takes place - and this wouldn't happen every time the service is called because the client is connecting on a NetTcpBinding, on the same proxy with each call (and I thought with the same open socket on the transport), using transport security with windows credentials, with a service session instance.

So, what I expected overall was that the AuthorizationContext would be generated only when a new session is created, or when the old AuthorizationContext object expired according to its ExpirationTime property (not on every call to the service).

So, if someone could tell me what the reality of the situation is for the lifetime of the AuthorizationContext object - or perhaps tell me how to change the service to get it to behave the way I expected, I would very much appreciate it.

For context - if it makes any difference - I'm still using the 3.0 CLR libraries.

Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文