tags:

views:

276

answers:

1
+1  Q: 

How to call a WCF service from a unit test as an anonymous identity?

I've a SecurityService that has a AutoLogin method, that uses the ServiceSecurityContext to find out which windows identity is calling and then tries to find the related user account in the database. This is working fine when it is called from a web site that uses impersonation and requires integrated security in IIS. The call is using the stock NetPipeBinding.

I'd like to test the service as follows:

[TestMethod]
public void AutoLoginAsAnonymousFails()
{
    using (var anonymousContext = WindowsIdentity.Impersonate(WindowsIdentity.GetAnonymous().Token))
    {
     ISecurityService securityService = ClientChannelManager.CreateSecurityServiceChannel();
     var loginResponse = securityService.AutoLogin();
     ((ICommunicationObject)securityService).Close();
     Assert.IsFalse(loginResponse.IsSuccessful);    
    }
}

On the service side the user in the securitycontext is always me - how to make it an anonymous user? I've already tried to impersonate the IntPtr.Zero but without success.

For reference the relevant part of the service method:

public ResponseMessage AutoLogin()
{
    if (ServiceSecurityContext.Current.WindowsIdentity != null
        && !ServiceSecurityContext.Current.WindowsIdentity.IsAnonymous
        && !ServiceSecurityContext.Current.WindowsIdentity.IsGuest
        && ServiceSecurityContext.Current.WindowsIdentity.IsAuthenticated)
    {
     // find the user based on his windows identity and return success = true message
    }

    // return success = false message
}
A: 

This is a classic example of how separation of concerns could help you. Instead of relying directly on ServiceSecurityContext (something that one should, IMO, never do), make sure to configure your service so that security information is instead encapsulated in Thread.CurrentPrincipal.

IIRC, when you use Windows authentication and impersonation, it may even set this up for you automatically, but otherwise, you can always write a custom ServiceAuthorizationManager, that does this for you.

This will allow you to vary your security concerns independently of your domain logic. If you stick with the IPrincipal interface and resist the temptation of downcasting to WindowsPrincipal, your code will even be ready for the future of identity: Claims-based Identity, as implemented by the Windows Identity Foundation (WIF).

This also helps tremenduously with unit testing, because you can then just assign a GenericPrincipal to Thread.CurrentPrincipal before invoking your System Under Test (SUT).

Mark Seemann  2009-11-05 12:24:00
well, Mark (btw: nice name, but written wrong :-p), thank you for your input so far. You're probably right. I'll check this in a separate test project. But I still have no idea why the test is unable to simulate an anonymous user although I'm inside an impersonating block. Any ideas why this fails?
Marc Wittke  2009-11-09 07:19:36
I'll need a bit more input before I can attempt to answer that. When I originally wrote my answer I assumed that the unit test simply created a new instance of the service class itself, thus bypassing the service host. I based that assumption on your use of the term 'unit test', but I now see that your code may also read as if your test is creating a new proxy and invoking your service (hosted ouf of process) via NetNamedPipes. Is that correct a more correct interpretation?
Mark Seemann  2009-11-09 08:43:35
It's correct. In detail I am using the InProcFactory from Juval Löwys ServiceModelEx library. It allows to replace the new keyword by a factory call - nice stuff to see if the serialization stuff is working. And yes, this is not the fine granularity that is desirable for unit tests, but belive me - implementing such a type of test is by amplitudes better than what we had before ...
Marc Wittke  2009-11-11 07:15:43
I have no problem with the granularity of your testing efforts - I just misunderstood the scenario. Can you get it to work with netTcpBinding instead (just to troubleshoot)?
Mark Seemann  2009-11-11 08:18:58

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?