What is the difference between ClaimsPrincipalPermission and AuthorizeAttribute?

Question

I have an mvc/web api site and was implementing claims based authentication/authorization.

I started off deriving from AuthorizeAttribute for some custom authentication needs (including adding a couple properties to the constructor of AuthorizeAttribute)

I then recognized that latest .net was referencing ClaimsPrinciplePermission attribute instead. I have read that you cannot derive a customClaimsPrinciplePermission attribute from it. Other than this why would one use one attribute vs the other one?

thx

Answer 1

First, a little bit of background:

The AuthorizeAttribute attribute class is particular to Mvc while the ClaimsPrincipalPermission attribute class is part of what was formerly known as the Windows Identity Foundation, which has now been included into the .NET Framework. MS advocates WIF as the defacto standard for separating business logic from authorization logic. WIF itself is a merge of the classic authentication/authorization scheme (IIdentity, IPrincipal) with the concept of claims, brought by WCF. The new implementations are ClaimsIdentity and ClaimsPrincipal, respectively, which add claims capabilities but still derive from the old interfaces for compatibility purposes.

On to the answer:

The AuthorizeAttribute class essentially targets the old, basic IPrincipal interface while the ClaimsPrincipalPermission attribute uses the new tooling. The biggest difference however is that ClaimsPrincipalPermission throws an exception of type SecurityException, which is not very ideal or testable for obvious reasons.

Dominick Baier has written a very good article on his solution to this shortcoming:

http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/

Here is a similar discussion on StackOverflow:

MVC5 Claims version of the Authorize attribute