The Security Application Block provides extension points to implement a custom authorization provider; we may extend either the IAuthorizationProvider interface or the abstract class AuthorizationProvider. The Authorize method is where we need to provide our authorization logic. Both the extension points are part of the Microsoft.Practices.EnterpriseLibrary.Security namespace.
Following is the IAuthorizationProvider interface which exposes the Authorize method:
public interface IAuthorizationProvider
{
bool Authorize(IPrincipal principal, string context);
}
The following code snippet shows the implementation of the AuthorizationProvider abstract class, which inherits the IAuthorizationProvider interface and provides wiring of the instrumentation provider for instrumentation purposes:
public abstract class AuthorizationProvider : IAuthorizationProvider
{
IAuthorizationProviderInstrumentationProvider instrumentationProvider;
protected AuthorizationProvider()
: this(new NullAuthorizationProviderInstrumentationProvider())
{
}
protected AuthorizationProvider(IAuthorizationProviderInstrumentationProvider instrumentationProvider)
{
if (instrumentationProvider == null) throw new ArgumentNullException("instrumentationProvider");
this.instrumentationProvider = instrumentationProvider;
}
public abstract bool Authorize(IPrincipal principal, string context);
protected IAuthorizationProviderInstrumentationProvider InstrumentationProvider
{
get { return this.instrumentationProvider; }
}
}
Implementing a custom authorization provider is pretty straight-forward. As mentioned previously, we can inherit from the AuthorizationProvider class and provide an override the Authorize method to provide our authorization logic. Apart from that, we also have to decorate the class with the ConfigurationElementType attribute. To make our job easy, the application block provides the CustomAuthorizationProviderData class, which holds a configuration object for custom providers. This class is part of the Microsoft.Practices.EnterpriseLibrary.Security.Configuration namespace.
The following code snippet shows a typical custom Authorization Provider implementation:
[ConfigurationElementType(typeof(CustomAuthorizationProviderData))]
public class XmlAuthorizationProvider : AuthorizationProvider
{
public XmlAuthorizationProvider(NameValueCollection configurationItems) { }
public override bool Authorize(IPrincipal principal, string context)
{
// Custom authorization logic goes here
// Return true or false based on the authorization outcome
return false;
}
}