tags:

views:

308

answers:

1
+2  Q: 

Flowing WCF Role-Based Security through to UI

I am looking for some best practices on how to handle the following scenario - flowing permissions from WCF service layer through to UI:

I have WCF services with methods that have been decorated with the PrincipalPermission attribute. I would like a means to allow a client to check if they have the required permissions before invoking the method.

A basic example of this could be checking whether a user can perform a specific function (say submitting an order), which can then be used to enable/disable a button within the UI.

Possible options are to add "chatty" operations like bool CanSubmitOrder() to the service, or instead have a single method OrderServicePermissions GetPermissions() which returns a message with a property CanSubmitOrder? I can then set the enabled state of a "Submit Order" button to the result.

So does anybody know of a better approach, or even a best practice?

Thanks in advance!

A: 

The whole point of having PrincipalPermission attributes on your service calls is that you don't have to check ahead of time whether or not the caller has the rights to call - if he doesn't, the WCF runtime will throw an exception.

Why not just rely on this built-in mechanism? Why not just put your service calls in a try..catch block and handle the exceptions if they do actually occur? It should be the "exceptional" case anyway, right?

I don't see any other "magic" way besides what you described. But the generally accepted practice would be to call and handle any exceptions if they occur.

Marc

marc_s  2009-09-25 16:38:51
I think it really comes down to the UI and workflow I guess - there may scenarios where it would be useful to know what a user can do ahead of time, without incurring the additional costs of multiple service calls and exception throwing/management. An example is setting up the default state of a view based on permissions. Instead of then making multiple calls to various methods, handling the exceptions and setting the state, it makes more sense to me to make a single call to get the details and then set the state with the results.
Frank Bell  2009-09-28 09:35:24
I think I am going to go with the OrderServicePermissions GetPermissions() route, which will allow me to add the OrderServicePermissions message to other service call results where appropriate, to reduce the number of calls required. Its really about the same amount of work, but it allows me to wrap it all into the service, keeping my client as thin and simple as possible.Thanks for your comments though...
Frank Bell  2009-09-28 09:36:07

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security