Hi
I want to create a WCF service that have login method, which is authenticating and giving user roles, and depending to that roles, allow or disallow user to call other service methods. Which is the best way to do that? Is there WCF standart mechanism to achieve this?
Thanks a lot!
views:
384answers:
2I am talking about best practices, How to pass roles to other service methodes to check? is passing as a prameter to each method best practice? please read post carefuly I think you didn't understand the question
ArsenMkrt
2009-06-30 04:15:07
No it's not. If you pass roles as parameters what's to stop someone passing a fake role list
blowdart
2009-06-30 04:24:00
In my last soft, I was passing ticket as message header, and storing roles in server, but I don't know too, was that a best way? I think WCF should give standart mechanism to do that, becouse this is common task
ArsenMkrt
2009-06-30 04:28:27
+1
A:
Basically you don't. Returning a ticket from a login method isn't safe, what's to stop an application editing it and sending a faked version with each subsequent request. Yes you could sign it, but then you're sending something rather large.
Instead simply require a username/password combination each time, and use the standard authentication and authorization bits, and role based CAS to check and limit based on role.
WCF already provides everything needed to use message based security and require a username and password with each request - and that's a standard SOAP function. Plug in an authentication provider (easy if you're already using the ASP.NET membership functions), then plug in roles (again easy if you're using the ASP.NET bits - otherwise roll your own
Once you have a role based principal you can use declarative permission demands
[PrincipalPermission(SecurityAction.Demand, Role = "Administrators")]
on methods you want to protect, or even entire classes.
blowdart
2009-06-30 04:26:27