Monday, February 10, 2014

Tip: Controller method attributed with "ClaimsAuthorize" triggers the "ClaimsAuthorizationManager" "CheckAccess" method twice.

If you use the Thinktecture Identity Model framework, most probably you will use the "ClaimsAuthorize" attribute for your methods in a MVC controller class. If you put a break point in your custom authorization manager, you will notice that methods that have the "ClaimsAuthorize" attribute will get called twice. One time for the default Action/Resource and the second for the custom Action/Resource that you have specified in the attribute. The reason for this is that you have registered the "ClaimsAuthorizeAttribute" in the FilterConfig class: and you have instrumented your controller method: The FilterConfig setup is used when we want the WIF framework to trigger the "CheckAccess" for each and every Controller methods in our MVC project. As for the "ClaimsAuthorize" attribute, only methods that are instrumented with it will trigger the "CheckAccess", if the global filter is not set.