tags:

views:

41

answers:

1
+1  Q: 

Need recommendations and help with ASP.NET + WCF + Security

i'd like to recieve comments on the way i'm trying to build an asp.net web application which uses a WCF service that is hosted in another asp.net application. Both applications will live on the same machine, but the app with the WCF service will not be accessible from the outside. there will be two web servers sharing the load behind a load balancer.

The app pool of both applications will use the same local user account (web server is not part of a domain) and so i was thinking to use WsHttpBinding with windows security for communication between client and internal wcf service.

The fron-end asp.net app uses forms authentication through a custom membership/role provider to athenticate and authorize users. The user database is in a sql server database.

i need to somehow pass to the wcf service the user details (username + roles) so that in the wcf it will be possible to validate and authorize according to the roles of who is logged in the front-end. I read i need to use "support tokens", but i haven't figured out how to use this.

I read also something about claims and WIF, which seems interesting but have no idea how i could use these in my scenario.

is there anyone who can give me recommendations about the architecture and maybe also show me how to pass the username to the wcf service and also show me if possible to use claims based authorization?

+1  A: 

First of all, if both servers are behind the corporate firewall on a corporate LAN, I would strongly suggest using netTcpBinding instead of any http based binding. NetTcpBinding is much faster due to encoding the message in a binary format.

As for username / password: your ASP.NET front-end server could set the client credentials for the user calling for the WCF service - after all, the ASP.NET servers do have access to the ASP.NET membership database, don't they?

Or if you cannot pass on the user's credentials, you could pass on some headers to your WCF service that would describe the user - actually, you probably only ever need the user's unique ID - since the WCF service could fish out the rest of the info from the ASP.NET user database again, if really needed.

As for claims - I don't think they'd be a good idea here - you don't really have to deal with a multitude of different authorization schemes, and you're not using any federation (e.g. allowing users from a different company or domain to use your services) - so those obvious benefits probably won't really be applicable to your case.

marc_s  2010-07-05 21:19:23
thanks for your reply. i do not think netTcpBinding is an option cause the web servers are running IIS6 unfortunately.Passing supporting tokens seems to be what i need to do to pass the username of the user logging in the front end web app to the wcf service. But unfortunately i am unable to set it up, it must be a problem with certificates... do i need them at all in this scenario since the messages will never leave the server machine?
skyplusplus  2010-07-06 01:30:43
@skyplusplus: the web server are only acting as WCF clients, right, calling the WCF service. No problems/issues with using netTcpBinding in that case! The only point will be that the WCF service needs to be self-hosted on the other end, and not hosted in IIS6. That little extra effort will be well worth it in order to be able to use netTcpBindign!
marc_s  2010-07-06 05:34:17
yeah, i think i'm going that way i.e. host the wcf service in a windows service and expose it using the netTcpBinding. you're right, it should be ok to just add the user id into a header since the wcf services will only be accessed locally and therefore the callers are trusted.cheers
skyplusplus  2010-07-06 09:16:15
Hi, i was just wondering that since asp.net is a multi-threaded environment, and there will be multiple users requesting at the same time do i need to make anything special in the windows service that will be hosting the WCF service?will it be able to handle multiple requests at once? or do i need to implement some sort of queues and have multiple threads processing it?
skyplusplus  2010-07-08 03:03:18
@skyplusplus: no, nothing special to do - just create an instance of ServiceHost, open it, and let the WCF runtime do the rest of the magic.
marc_s  2010-07-08 05:05:47
that is cool.. thanks once again!
skyplusplus  2010-07-08 08:23:24

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps