tags:

views:

976

answers:

1
Q: 

Secure WCF Service hosted in IIS 7 using the windows authentication restricted by defined group or users

How to configure a wcf service hosted in IIS 7 to enable access for only defined users / groups to.

Existing configuration:

<authentication mode="Windows"/> 

<services>     
 <service name="MyService.Test" behaviorConfiguration="MyService.TestBehavior">
  <endpoint address="" binding="wsHttpBinding" contract="MyService.ITest">
   <identity>
    <dns value="localhost"/>
   </identity>
  </endpoint>
  <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
 </service>
</services>
<behaviors>
 <serviceBehaviors>
  <behavior name="MyService.TestBehavior">
   <serviceMetadata httpGetEnabled="true"/>
   <serviceDebug includeExceptionDetailInFaults="true"/>          
  </behavior>        
 </serviceBehaviors>
</behaviors>

I want then to configure permissions (users or groups) either in the web.config or in the file system on files or folder.

+1  A: 

First of all, if you're in an intranet environment, you could and should switch to netTcpBinding - it's faster, it's more flexible, no one can call in from the outside (beyond your firewalls) - perfect.

Next - you have Windows credentials turned on by default with wsHttpBinding and with netTcpBinding. In a WCF world, you wouldn't typically secure files or folders - what you'd secure are service calls - and doing so is easy with Windows credentials - just add a PrincipalPermission attribute to your service implementation, and you're done:

class MyService : IMyService
{
  [PrincipalPermission(SecurityAction.Demand, Role="SysAdmin")]
  public void SensitiveMethod()
  {
   ....
  }
}

Should work just fine.

If you really need to secure files and folders, you can always use the web.config file and specify the usual access permissions based on Windows user names and groups - but that has nothing to do with WCF, really.

Marc

marc_s  2009-07-22 17:27:12
I have added netTcpBinding.If I add a [PrincipalPermission(SecurityAction.Demand, Role="domain\role")] to my Service method I get always access denied. If I add it only to the service method of the Interface it doesn't work. Should I add something to web.config?
Shurup  2009-07-27 16:11:50
You need to use just `[PrincipalPermission(SecurityAction.Demand,Role='Role')]` - **NOT** the Role="domain\role" - just Role='role'
marc_s  2009-07-27 17:03:13
Yes it works!For properly working with netTcpBinding you I've performed following steps:- reinstalled the NON-HTTP activation, that used default port 808- added in the web.config <security mode="Transport"> <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/> </security>- shared the folder for IIS-IUSRS (see http://msdn.microsoft.com/en-us/library/ms751432.aspx)- Added the PrincipalPermission to my code.Is it possible to change the permissions directly in web.config?
Shurup  2009-07-28 13:14:34

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability