tags:

views:

39

answers:

1
Q: 

WCF & ASP.NET Membership Provider

I know for WCF to work with a membership provider you have to explicitly configure it: (e.g. http://www.codewrecks.com/blog/index.php/2009/09/08/use-aspnet-membership-provider-with-a-wcf-svc-service/)

But if you already have the ASP.NET site using it, can't you prevent anonymous access to the service simply by doing the following?

  <location path="PathToWCFService">
    <system.web>
      <authorization>
        <deny users"?" />
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

Assuming this works, then I would guess WCF wouldn't have access to the membership information? Any other reasons why this might be a bad idea? Thanks!

Edit: Any other way to use WCF with the membership provider that doesn't require maintaining a certificate?

A: 

Ok, I usually am comfortable deferring to marc_s, but in this case, I think his comments may be not entirely accurate.

The thing I think he is disregarding is that hosting a service in ASP.NET is entirely different than self hosting.

When you host a service in an ASP.NET website, the host factory is managed by ASP.NET and is actuated by accessing the .svc endpoint, which is served by ASP.NET.

So, while participating in and having access to the ASP.NET context for a service is opt-in, ASP.NET most certainly does process the request.

And so, yes, you may guard any .svc endpoint with ASP.NET authorization as you show.

So you have it guarded against unauthenticated access. What now? How to authenticate a client so that it may access your service?

That is where the link you provide for using membership/authentication with a service.

So, in your question, you are describing the two reciprocal aspects of protecting an ASP.NET hosted wcf service with the membership provider stack but perhaps are viewing them as either/or.

Now, I could be mistaken, but this is how I understand it and how I have implemented it in the past.

Good luck.

And yes, there are methods of protecting a service with membership that do not involve a certificate but they typically have either a bit of smell to them and/or require a BasicHttp or WebHttp binding.

I am happy to explore this with you more if you like.

Sky Sanders  2010-07-22 03:43:44
`So you have it guarded against unauthenticated access. What now?` I think it depends how it's being used. The `<forms loginUrl="..."` in web.config redirects on an unauthenticated page request. However, what would happen if the user authenticates, is on an authenticated page, then the login expires. From that page there could be an AJAX call, in which case the response would be the redirected page? Look like I'm not the only one with this issue, which is not unique to WCF: http://stackoverflow.com/questions/199099/how-to-manage-a-redirect-request-after-a-jquery-ajax-call
Nelson  2010-07-22 15:13:26
In my specific case the authentication doesn't time out (yes, I know the implications). Unless the user goes to the authenticated page and then clears their cache/cookies, the AJAX call should always work. There are no AJAX calls to the service from an unauthenticated page and if there were, I could have two services. Unless I'm wrong, if all I want is to make sure they are authenticated, in my specific case it should be mostly OK. If I want to check roles I can still do that in the web.config, but I couldn't require different roles for different methods unless I split the service. Am I right?
Nelson  2010-07-22 15:18:45
Last thing... If I'm using the service within the context of a local webpage as I previously stated, this may work. If I need authentication for a service that will be accessed by another website, Windows client app, etc. then I would have to connect the membership provider to the WCF service.
Nelson  2010-07-22 15:33:33
@nelson - it wasn't clear in your question that you wish to use AJAX to access your service. That certainly simplifies matters, as the XHR will use the browser's cookies. Handling authentication timeouts is certainly a challenge but is manageable without having an eternal session, see http://stackoverflow.com/questions/2234348/notify-user-when-session-time-out-in-asp-net/2234421#2234421
Sky Sanders  2010-07-22 15:34:26
@nelson r.e. 'last thing': in this cas you would leverage ApplicationServices, which is designed to support such scenarios. But again, the actual requirements of you implementations will bear heavily on which route is appropriate and the permutations are far to great to elaborate on without much more specific requirements.
Sky Sanders  2010-07-22 15:37:40
@neslon - regarding handling login redirects - I hate them. the MS implementation is broken, has been since the beginning and still is. See http://www.codeproject.com/Articles/39062/Salient-Web-Security-AccessControlModule.aspx for more information about the issue and how you can eliminate it completely.
Sky Sanders  2010-07-22 15:40:00
Sorry that I didn't specify AJAX earlier. I didn't realize at the time it was useful context for the problem domain. Anyway, thanks for all the insight. I'm no expert on this yet, but I do have a much better understanding. I also agree on the redirect issues. I have come across some of them and most solutions are kludgy at best.
Nelson  2010-07-22 15:59:53

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?