XSI

XSI consists of the set of classes in the System.Security.Authorization namespace of the System.Security.Authorization assembly. That assembly is another of the constituent assemblies of the Windows Communication Foundation, others being the System.ServiceModel and System.Runtime.Serialization assemblies discussed in the previous chapters.

XSI provides a way of controlling access to resources based on claims. To understand how it works, consider this scenario. A man walks into a bar, places his driver's license and a small sum of money on the bar, and asks the bartender for a beer. The bartender looks at the driver's license, takes the money, and serves the man a beer.

In this scenario, the bar represents a service. The serving of beer is an operation. The beer is a protected resource. To access it, a person must be of legal drinking age, and must pay a sum of money for it.

The driver's license and the money both represent claim sets. A claim set is a number of claims provided by the same issuer. In the case of the driver's license, the issuer is a government department that licenses drivers, and in the case of the money, the issuer is a country's central bank. However, those issuers are themselves present merely as sets of claims: as logos, signatures, and images on the driver's license and the money.

Claims consist of a type, a right, and a value. One of the claims in the set of claims represented by the driver's license is the driver's date of birth. The type of that claim is date of birth, and the value of that claim is the driver's birth date. The right that a claim confers on the bearer specifies what the bearer can do with the claim's value. In the case of the claim of the driver's date of birth, the right is simply possession. The driver possesses that date of birth but cannot, for example, alter it.

In examining the driver's license and the money, the bartender translates the claim about the bearer's date of birth provided by the driver's license into a claim about the bearer's age. The bartender also translates the value of each of the proffered items of money on the bar into a claim about the total sum of money being offered. The rules by which the bartender performs these translations from an input claim set to an output claim set constitute the bartender's authorization policy. The input claim set of an authorization policy is referred to as the evaluation context, and the output claim set is referred to as the authorization context. A set of authorization policies constitute an authorization domain.

In taking the money and serving the beer, the bartender compares the claim about the age of the person asking for a beer to the minimum drinking age, and compares the total sum of money being offered to the price of the requested beer. In that process, the bartender is comparing the authorization context claim set yielded by the authorization policy, to the access requirements for the operation of serving a beer. It so happened that the authorization context claim set of the age of the man asking for the beer, and the total sum of money being offered, satisfied the access requirements for the operation, so the bartender served the man a beer.

To summarize, in XSI, access to an operation on a protected resource is authorized based on claims. Claims have a type, a right, and a value. A claim set is a number of claims provided by the same issuer. The issuer of a claim set is itself a claim set. Authorization based on claims is accomplished in two steps. First, an authorization policy is executed, which takes an evaluation context claim set as input and translates that into an authorization context claim set that it outputs. Then the claims in the authorization context claim set are compared to the access requirements of the operation, and, depending on the outcome of that comparison, access to the operation is denied or granted.