tags:

views:

161

answers:

1
+1  Q: 

Authentication and Authorization scheme for an application exposed as WCF Service Layer?

Hi,

I know this question must have been discussed million times in your organization. One more go.

Designing a LOB application which has its business operations exposed as services.

These services would be accessed by our own web application(ASP.Net MVC), smart desktop clients, mobile clients, as well as, our partners via either their web applications or single discreet calls.

As others are accessing the services and not only our web application, each call to the service needs to be authenticated and authorized.

What is the best and optimum security scheme? How do I pass authenticated user's credentials in each call from my web application to service? (Windows Identity Foundation??)

Is this the case for Windows Identity Foundation? If yes, what pieces fit where? and How?

Thanks for your help.

Regards.

A: 

Although I risk stating the obvious: Authentication and Authoriziation are two different things and should be handled in separate places in your application.

In WCF, you can implement authentication using the (not particularly intuitively named) types IAuthorizationPolicy and ServiceAuthorizationManager. This should take care of authentication, but will also allow you to map the authenticated user to an IPrincipal instance. This principal you can assign to Thread.CurrentPrincipal so that you can later access it from within the application's implementation.

Windows Identity Foundation (WIF) gives you new capabilities mostly related to authentication. It builds on top of IPrincipal by defining an IClaimsPrincipal interface, but the concept remains the same.

If you need to implement claims-based security with federating partners, WIF is the correct choice. If you just need to authenticate and authorize internal users from your AD, it wouldn't be my first choice.

However, if you follow the Liskov Substitution Principle and code against IPrincipal only, you can later retrofit WIF if it turns out that you need to deal with claims-based identity.

Mark Seemann  2010-02-11 12:03:29

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?