tags:

views:

204

answers:

1
Q: 

How to declaratively implement custom IAuthorizationPolicy in WCF?

I have a WCF service that is hosted in IIS. I want to use my own IAuthorizationPolicy, and have it configured in the web.config file on the server. I have my auth policy:

namespace MyLib.WCF
{
    public class CustomAuthorizationPolicy : IAuthorizationPolicy
    {
        public CustomAuthorizationPolicy()
        {
            this.Id = Guid.NewGuid().ToString();
        }

        public bool Evaluate(EvaluationContext evaluationContext, ref object state)
        {
            throw new ApplicationException("Testing custom auth");
        }
        ...
    }
}

And in my web.config:

<service behaviorConfiguration="Behavior" name="MyService">
    <endpoint address="" binding="wsHttpBinding"  contract="IMyService"/>      
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
<serviceBehaviors>
    <behavior name="Behavior">
        <serviceAuthorization principalPermissionMode="Custom">
            <authorizationPolicies>
     <add policyType="MyLib.WCF.CustomAuthorizationPolicy, MyLib.WCF, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
            </authorizationPolicies>
        </serviceAuthorization>
    </behavior>
</serviceBehaviors>

But my CustomAuthorizationPolicy.Evaluate() method never fires. What am I missing?

A: 

Well, the obvious (silly) question is: in your <service>, do you actually reference your behavior configuration??

I.e. do you have:

<system.serviceModel>    
 ....
   <service name="YourService" behaviorConfiguration="Behavior">
       ....
   </service>
 ....
</system.serviceModel>

Just defining all your stuff is nice and well - but unless you've actually referenced it, it won't do you any good (been there, done that myself, too! :-) )

Second (almost as silly) question would be: what binding and security config do you use?? Have you even turned on security at all? If you have <security mode="None">, then your service authorization will obviously never be used, either (since no credentials are being passed to the service at all).

Marc

marc_s  2009-08-24 14:38:06
Great questions, it's usually the obvious things that get me! I've added my service config to the code snippet above, but to answer your questions: 1) Yes I'm referencing my behaviorConfiguration, 2) I'm using wsHttpBinding but I don't have a Security mode set - maybe that defaults to None?
MrDustpan  2009-08-24 16:13:20
No, actually, the wsHttp binding defaults to message based security using Windows credentials. That shouldn't be the problem....
marc_s  2009-08-24 16:58:58

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability