views:

161

answers:

1

Hi,

I know this question must have been discussed million times in your organization. One more go.

Designing a LOB application which has its business operations exposed as services.

These services would be accessed by our own web application(ASP.Net MVC), smart desktop clients, mobile clients, as well as, our partners via either their web applications or single discreet calls.

As others are accessing the services and not only our web application, each call to the service needs to be authenticated and authorized.

What is the best and optimum security scheme? How do I pass authenticated user's credentials in each call from my web application to service? (Windows Identity Foundation??)

Is this the case for Windows Identity Foundation? If yes, what pieces fit where? and How?

Thanks for your help.

Regards.

A: 

Although I risk stating the obvious: Authentication and Authoriziation are two different things and should be handled in separate places in your application.

In WCF, you can implement authentication using the (not particularly intuitively named) types IAuthorizationPolicy and ServiceAuthorizationManager. This should take care of authentication, but will also allow you to map the authenticated user to an IPrincipal instance. This principal you can assign to Thread.CurrentPrincipal so that you can later access it from within the application's implementation.

Windows Identity Foundation (WIF) gives you new capabilities mostly related to authentication. It builds on top of IPrincipal by defining an IClaimsPrincipal interface, but the concept remains the same.

If you need to implement claims-based security with federating partners, WIF is the correct choice. If you just need to authenticate and authorize internal users from your AD, it wouldn't be my first choice.

However, if you follow the Liskov Substitution Principle and code against IPrincipal only, you can later retrofit WIF if it turns out that you need to deal with claims-based identity.

Mark Seemann