views:

976

answers:

1

How to configure a wcf service hosted in IIS 7 to enable access for only defined users / groups to.

Existing configuration:

<authentication mode="Windows"/> 

<services>     
 <service name="MyService.Test" behaviorConfiguration="MyService.TestBehavior">
  <endpoint address="" binding="wsHttpBinding" contract="MyService.ITest">
   <identity>
    <dns value="localhost"/>
   </identity>
  </endpoint>
  <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
 </service>
</services>
<behaviors>
 <serviceBehaviors>
  <behavior name="MyService.TestBehavior">
   <serviceMetadata httpGetEnabled="true"/>
   <serviceDebug includeExceptionDetailInFaults="true"/>          
  </behavior>        
 </serviceBehaviors>
</behaviors>

I want then to configure permissions (users or groups) either in the web.config or in the file system on files or folder.

+1  A: 

First of all, if you're in an intranet environment, you could and should switch to netTcpBinding - it's faster, it's more flexible, no one can call in from the outside (beyond your firewalls) - perfect.

Next - you have Windows credentials turned on by default with wsHttpBinding and with netTcpBinding. In a WCF world, you wouldn't typically secure files or folders - what you'd secure are service calls - and doing so is easy with Windows credentials - just add a PrincipalPermission attribute to your service implementation, and you're done:

class MyService : IMyService
{
  [PrincipalPermission(SecurityAction.Demand, Role="SysAdmin")]
  public void SensitiveMethod()
  {
   ....
  }
}

Should work just fine.

If you really need to secure files and folders, you can always use the web.config file and specify the usual access permissions based on Windows user names and groups - but that has nothing to do with WCF, really.

Marc

marc_s
I have added netTcpBinding.If I add a [PrincipalPermission(SecurityAction.Demand, Role="domain\role")] to my Service method I get always access denied. If I add it only to the service method of the Interface it doesn't work. Should I add something to web.config?
Shurup
You need to use just `[PrincipalPermission(SecurityAction.Demand,Role='Role')]` - **NOT** the Role="domain\role" - just Role='role'
marc_s
Yes it works!For properly working with netTcpBinding you I've performed following steps:- reinstalled the NON-HTTP activation, that used default port 808- added in the web.config <security mode="Transport"> <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign"/> </security>- shared the folder for IIS-IUSRS (see http://msdn.microsoft.com/en-us/library/ms751432.aspx)- Added the PrincipalPermission to my code.Is it possible to change the permissions directly in web.config?
Shurup