tags:

views:

112

answers:

2
Q: 

WCF security with AD functional groups

I have a WCF service running as a Windows service on intranet and I need to check that users accessing the service belong to certain AD functional groups. That is quite straightforward. I can call a method decorated with [OperationContract] that does that. However, can I enforce this check is performed each time the service is instantiated? I tried to call the method in the service's constructor but that doesn't seem to work.

My client is a WinForms app and I'm performing this security check when the main form's constructor which is not great. I would like to avoid hardcoding functional group names in attributes as the functional groups might change and I'd like them to be specified in the app.config file of the WCF service.

I'm contrained to .NET 3.0.

Thanks

A: 

By default, a WCF service will be either per-call or per-session, depending on your bdingin. The recommended best practise is per-call, and in this case, each request will:

  • gets its own totally new, separate service class instance
  • the service class will be instantiated
  • the appropriate service method will be called, including all the checks for authorisation on the operation context
  • the response will be returned to the caller
  • the service class will be disposed of

You can enforce the per-call instantiation by applying a simple attribute to your service class - the implementation of your service contract:

[ServiceBehavior(InstanceContextMode = InstanceContextMode.PerCall)]
class YourServiceImplementation : IYourServiceContract
{
  ...
}

Read more on the topic here:

Discover Mighty Instance Management Techniques For Developing WCF Apps

marc_s  2009-12-15 21:30:51
A: 

I've implemented ServiceAuthorizationManager to handle authorization. However, it seems I cannot access Active Directory at the point the ServiceAuthorizationManager methods are called. The Thread.CurrentPrincipal.Identity.Name of my service is empty. I suspect this would be used as credentials when I query AD. If I try to query AD after my service class has been created though, it works and Thread.CurrentPrincipal.Identity.Name is filled correctly. The problem is I'd have to perform validation in each [OperationContract] method which just doesn't seem right.

trendl  2009-12-29 12:40:44

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability