ansaurus

Question

Authenticating ASP.NET web app with WCF service

Answer 1

+1 A:

There are two possible solutions I can think of:

Firstly, if the WCF service is an internal service, the web application can then send the name of the user that is asking for the data with each request.

The second is that you store the user name and hash of the password (or actual password) somewhere. Either in the session state or in the user cookie (a session cookie stored in memory passed to the user over https). Then pass the user name and password to the WCF service with each request.

Shiraz Bhaiji 2009-07-06 02:45:48

The WCF service will be available on the Internet.If I store a hash of the password, then I need to enable authentication with the WCF service using the hash of the password - as far as I can see this effectively makes it just a password (albeit one that would be difficult/impossible to guess), but still something that would be “permanently” useful if compromised (at least until the user changed their password).Using the login session token approach I originally described would mean the login session token was only valid for a short period and would be much less risky if compromised.

Secret Squirrel 2009-07-06 07:25:38

Answer 2

+1 A:

See my answer on Storing password in forms authentication cookie - ASP.NET and WCF calls for a solution that does not require storing passwords.

eed3si9n 2009-07-06 22:42:15

I had read the answer you reference before posting this question. It sounds like an interesting approach, but I'm a bit hazy on the mechanics. Could you clarify or provide an example?

Secret Squirrel 2009-07-08 19:50:54

@Secret Squirrel, I expanded the answer in the other page.

eed3si9n 2009-07-09 05:30:42

Answer 3

+2 A:

This is a very reasonable approach.

To do this you setup your service endpoint and configure it with your custom membership provider (You can do the same with SQL membership provider, it doesn't require a custom one).

On the web application you set up the Authenticate event of the Login control to instantiate a new service proxy and set the username/password in the ClientCredentials in the proxy.

Now when you make the call to the Service through the proxy WCF will pass these credentials through the secure channel to the service and use them for authentication.

Now you simply need to store the proxy in session and use it for future access to the service as it has the channel state and a private key.

protected void LoginControl_Authenticate(object sender, AuthenticateEventArgs e)
{
    bool Authenticated = false;
    try
    {
        MyServiceClient proxy = new MyServiceClient("MyServiceEndpoint");
        proxy.ClientCredentials.UserName.UserName = LoginControl.UserName;
        proxy.ClientCredentials.UserName.Password = LoginControl.Password;

        //It doesn't really matter what is called or what it does because 
        //Membership Provider for the Service does the authentication.
        string retval = proxy.login("Logging in"); 

        //Now that channel is established the proxy needs to be kept
        //since it contains the channel state which includes a private key
        Session["MyServiceProxy"] = proxy;  
        Authenticated = true;
    }
    catch (Exception ex)
    {
        //Login Error...
    }
    e.Authenticated = Authenticated;
}

RonnBlack 2009-07-07 00:32:58

I think your suggestion is interesting, but I am concerned about what would happen if the channel faulted (communication error, unhandled service exception, etc) - the web application session would contain a reference to a dead proxy and there would be no way to create a new proxy since I wouldn't have access to the user's password.

Secret Squirrel 2009-07-08 19:42:49

Having thought about your suggestion some more, I don't think this kind of approach would be appropriate. The web application needs to interact with multiple WCF services (with the same user credentials) and this approach would require me to create a proxy for every service at the point when the user logs in and cache all these proxy references in the session. I don't think this will scale well and I need to support a large number of concurrent users on a shared server.

Secret Squirrel 2009-07-09 07:09:26

Each time you instantiate the proxy it needs to go through a handshake to establish a secure channel. Depending on the configuration this may include certificate exchange and generating and sharing an ephemeral encryption key.Caching the proxy eliminates this exchange from happening on each and every request.I’m not sure how to answer the question about the faulted channel since I haven’t tested this scenario. If it doesn’t re-establish automatically then you would probably need to save the username/password somewhere as well. I don’t know that you would have much of a choice.

RonnBlack 2009-07-09 17:27:15

Answer 4

A:

I would suggest to take a look at Geneva which is aimed at solving scenarios as yours. The basic idea is to require the same security token, by mean of an HttpModule, for both the WCF services and the ASP site. The token will be release after authenticating against your membership database and may contain useful info (claims) on the user.

For an intro you may read Bustamante's article.

Giulio Vian 2009-07-07 11:07:18

I had looked into Geneva as a result of reading Bustamente's article a couple of months ago, and it sounds like a possible solution, but it is still in beta, and unfortunately I need a solution now. :-)

Secret Squirrel 2009-07-08 19:55:00

Answer 5

A:

Thanks to everyone for your input. I've settled on an approach (at least for now). It's fairly simple and works well for my purposes.

Using the "UserName" clientCredentialType, and an explicit service login method that returns a security token (token generation details omitted for brevity), the service client can decide whether to pass the genuine password as the password property on the client credentials or the security token instead (obtained from the login method). If the client is a web application the security token could be stored in the forms authentication ticket, or the session, or wherever.

Using the "Custom" userNamePasswordValidationMode and a custom implementation of UserNamePasswordValidator, the validator inspects the password to determine whether it is a valid security token or a password - if it's a password the client credentials are authenticated against the user store (SQL Server database), and if it's a security token then it is checked to ensure it is valid, hasn't expired, and belongs to the user name.

Secret Squirrel 2009-07-09 22:44:12

Answer 6

A:

Microsoft has a WCF service that you can use to authenticate users with ASP.NET Membership.

The code is actually built into the framework - you just need to create a .svc file to use it.

http://msdn.microsoft.com/en-us/library/bb398990.aspx

Simon_Weaver 2010-01-07 08:54:13

ansaurus

tags:

views:

answers:

Authenticating ASP.NET web app with WCF service

related questions