WCF Security - Client Authorization

Question

Hello there,

I need help on securing my WCF Service so that only authorized users can make a call to service methods.

The WCF Service is configured with wsHttpBinding and is hosted under Windows Service.

The client application is an asp.net website. Also, the users making call to WCF service are already authorized by client application, so just need to make sure that they are authorized while handling the request on service side.

Please guide me on what are the different ways (along with their pros and cons, if possible) to achive above.

Thank you!

Answer 1

If you are using the ASP.NET role provider infrastructure, you could pass the user on and leverage the same provider via WCF. This would be nice as it would maintain logic across the process boundaries.

If you are using Windows groups for ASP.NET, the same would apply, just re-authorize.

Certificates are an option, but then you have to manage them.

Lastly you could issue an access token and validate it on the WCF side. This could be done by extending WCF(probably at the contract level). You would then have to manage the token via some other service to enforce expiration etc.