Override Sharepoint 2010 authorization - claims authentication

Question

• How can we override the authorization mechanism in SP 2010 (claims auth scenario) to execute hos custom logic rather than using OOB SP logic. When I say override it means that I should be able to allow/deny access to any request resource through my logic irrespective of SP permissions. • Through other discussions I came to understand that we cannot override authorization mechanism in SP 2010 but I am okay with customizations to any extent (like modules etc.). • I already know that we can insert custom logic “before” authorization is done by SP and transform/add/remove claims of authenticated users. But the requirements that we have cannot be solved by custom claims provider because we won’t come to know about the resources being accessed in the request (except for URL being accessed). In other words, we want our logic to be executed everytime SP takes authorization decision so that we can know which resource is being accessed based on which we would do some calculations to decide.

Answer 1

You can handle an event in the SPSessionAuthenticationModule, and perform custom logic there. In particular, you can override the SessionSecurityTokenReceived event to inspect the token content and perform a custom action based on its content. You can also inspect the HttpContext.Current, for URLs, request content, etc.

Check this sample code, which can be added to the SharePoint Application Global.asax file.

<script runat="server">
public override void Init()
{
    FederatedAuthentication.SessionAuthenticationModule.SessionSecurityTokenReceived += new EventHandler<SessionSecurityTokenReceivedEventArgs>(SessionAuthenticationModule_SessionSecurityTokenReceived);

    base.Init();
}

void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
{
    DateTime validFrom = e.SessionToken.ValidFrom;
    DateTime validTo = e.SessionToken.ValidTo;
    ...

}
</script>