What can be the best way to implement custom authorization attribute in MVC 3 using claims?
For example we have claims:
public static class OrderClaims
{
public static Claim Create = new Claim(ClaimTypes.Create, Resources.Order, Rights.PossessProperty);
public static Claim Read = new Claim(ClaimTypes.Read, Resources.Order, Rights.PossessProperty);
public static Claim Update = new Claim(ClaimTypes.Update, Resources.Order, Rights.PossessProperty);
public static Claim Delete = new Claim(ClaimTypes.Delete, Resources.Order, Rights.PossessProperty);
}
The ClaimTypes class:
public static class ClaimTypes
{
public const string Create = "http://schemas.testsite.com/2012/01/claims/create";
public const string Read = "http://schemas.testsite.com/2012/01/claims/read";
public const string Update = "http://schemas.testsite.com/2012/01/claims/update";
public const string Delete = "http://schemas.testsite.com/2012/01/claims/delete";
}
and Resources:
public static class Resources
{
public const string Orders = "http://schemas.testsite.com/2012/01/resources/orders";
public const string Customers = "http://schemas.testsite.com/2012/01/resources/customers";
}
The first way to implement authorization attribute that I thought of is add 2 string properties
to ClaimAuthorizeAttribute class:
public class ClaimAuthorizeAttribute : FilterAttribute, IAuthorizationFilter
{
public string ClaimType {get;set;}
public string Resource {get;set;}
}
and apply this attribute to controller/action:
[ClaimAuthorizeAttribute(ClaimType = ClaimTypes.Create, Resource = Resources.Orders)]
public ActionResult CreateOrder()
{
...
}
the second way I thought of was to add one attribute of type Claim, so the action attribute will look like this one:
[ClaimAuthorizeAttribute(Claim = OrderClaims.Create)]
public ActionResult CreateOrder()
{
...
}
but that'll give compiler error (An attribute argument must be a constant expression...).
How would You implement claims authorization in MVC 3?
