This works for the typical case of logging into a website, establishing a session and accessing protected web pages.
But what if you just want to protect a file. Or an XML resource like an RSS feed?
In this post I’ll propose an extension which would allow Cardspace to be leveraged to protect resources without the need for a UI to be rendered in the browser.
The scenario I’m proposing works like this: Let’s say I have a file, "fs.png" that I want to protect using claims. I host the file somewhere. This is my "claims protected resource".
Now I want to give you a link to the file so you can download it, but only if you have a good token.
Instead of me giving you a link to the file, I give you a link to an XML document that describes the file along with the claims needed to access it. I’ve called this document a "claims protected resource manifest".
It looks like this:
<tokenType value="urn:oasis:names:tc:SAML:1.0:assertion=" />
The XML here consists of a targetResource (the file you’re trying to access) along with details of the token needed to access that file. Very similar to the object tag notation currently in use.
When the web server serves this manifest file, it serves it with a new mime type (application/cpresx-manifest) (I just made this up).
That mime-type is associated with a small shim application that you can download and install here [LINK]. The shim examines the manifest and launches Cardspace to obtain a token. In this case a Self Issued Card token.
Once Cardspace is finished, control returns to the shim which forwards the token along with the identifier of the desired file on to a token consumer service on the server.
The token consumer processes the token and streams down the file you asked for originally.
To test this scenario yourself…
- first install the shim application available here [LINK]
- Then access the claims protected resource manifest here [LINK]
You’ll need a self-issued card for this example but the model could be used with managed cards also.
In this example, the claim consumer will grant you access to the resource with any card EXCEPT a card with the first name set to "noaccess".
——— TROUBLE SHOOTING ———
This app is just a POC and has little error handling.
If you run access the manifest link and nothing happens, try saving the manifest to disk and running the application from the command line like this:
C:Program FilesFrancis Shanahan[.com]Claims Protected Resource Shim>CPR_Shim mydoc.cpresx
If you’re behind a proxy, add an app.config file with the proxy details to the same folder as CPR_shim.exe. The contents of the app.config file should look like this:
<proxy proxyaddress="http://PutProxyAddressHere:Port" usesystemdefault="False" bypassonlocal="True"/>
C:Documents and Settings
If the cprExampleImage.png file is there just double click it. If an "Open With…" dialog pops up, pick an application (like Internet Explorer or Paint) and make sure to click "always do this" checkbox.
After all that you should be in business. Hey, what do you want for a couple of hours work?
This example requires a shim as there’s no such thing as a "claims protected resource manifest" in the current Cardspace spec. I like this pattern as it
- Doesn’t require a session on the server
- Supports bookmarking and emailing of links through the CPR manifest notion
- Extensible to any resource type
- Easy deployment, hooking cardspace up with a Mime Type seems to make sense
- Abstracts the actual resources from end users and puts claims right in the middle.
I think that this pattern has its uses and would propose that this pattern (maybe not my implementation) be considered as an enhancement to Cardspace in a future release.