tags:

views:

24

answers:

1
Q: 

Authenticating call to WCF / Web Service from ASP.Net MVC

Hi everyone,

Basic question here (I think), I was hoping someone could point me in the right direction. I don't know much about WCF but I'd like to create a web service to be called from an ASP.Net MVC application. The goal is to make sure only authorized ASP.Net users (we're using forms authentication) can call the web service, not just anyone. Are there tutorials out there I can look at on how to approach this? Many thanks.

+1  A: 

I assume from the question that you don't care what the end (MVC) user ID is that is hitting the WCF service (in other words you don't need a specific authenticated user to hit the WCF so you can get the ID of that specific user (i.e. so you know that joeBobUser hit the WCF)). you just want to make sure that user is authenticated and authorized to use the site. You don't need every potential user of your MVC app to be authenticated/authorized.

As long as that is true, then my approach would be as follows:

  • run your MVC app as a specific, known user account (i.e. set up the app pool in IIS to runas a domain user such as yourdomain\youMvcAccount) instead of the default asp account. There are lots sites that have instructions on how to make this happen if you are not already running your mvc app as a domain user.

  • set up your WCF service endpoint configuration binding as WsHttp. Again, many sites describe how to do this. here's one that does it via GUI (I prefer hand-editing the config but whatever). So now your WCF service will only accept secure, authenticated requests

  • create your WCF client proxy in the MVC app. easiest way to do this (probably not best re: separation of concerns, but just to get started) is just add new web service and discover you WCF endpoint that way. Again, basic stuff easily googable if you don't know how to do that.

  • Now your MVC app will be making the call to the WCF service authenticated. However, at this point, any client authenticated in your domain can call the service. You are now accepting ONLY authenticated but ANY authorized user. All calls issued from your MVC app hitting the WCF will be from the identity yourDomain\yourMvcApp

  • Restrict authorization to the identity set in #1 restricting (authorizing) authenticated users can be done a number of ways. The get'r'done fast way (but not very flexible as any change requires recompile) is just to check the identity of the request is the same as the identity of your WCF service directly in your service call. Alternatively, you can set up more robust (with the concurrently more goo) options such as AzMan or other WCF authentication rule sets. Again, many sites have instructions on setting that sort of thing up after you have an authenticated user. Here is a SO question that limits authorization to a windows group post (I'd do it that way--more flexible but you need to add that user to a group on your domain), and another article that goes more into the details of WCF security and allowing only a specific user access to the service.

    • Kevin Won  2010-08-20 21:55:45
    I agree except the WsHttpBinding. Why did you choose that one?
    Ladislav Mrnka  2010-08-20 22:01:04
    You know, now that you mention it, I guess it doesn't really matter except that it's the most common secure binding and therefore easy to find examples/help on the web. In my shop we need kerberos since we load balance, but that is such a pain I wouldn't want to even try to illustrate how to make that happen.
    Kevin Won  2010-08-20 22:04:49
    If you expect that service will be called over Internet than WSHttpBinding is good choice but in case of calling service in intranet I would choose other one. But this question doesn't specify how the service will be called so WSHttpBinding is probably good choice.
    Ladislav Mrnka  2010-08-22 20:35:39

    related questions

    Displaying Version Information in a Web Service
    Example Web Service
    SoapException: Root element is missing occurs when .NET web service called from Flex
    Best practice for webservices
    What is your preferred method of sending complex data over a web service?
    .Net - Returning DataTables in WCF
    Is it possible to return objects from a WebService?
    How much extra overhead is generated when sending a file over a web service as a byte array?
    Returning Large Results Via a Webservice
    File Uploads via Web Services
    best way to persist data in .NET Web Service
    What is the difference between an endpoint, a service, and a port when working with webservices?
    Calling REST web services from a classic asp page
    Best way to write a RESTful service "client" in .Net?
    Where can I find some good WS-Security introductions and tutorials?
    ASP.NET Web Service Results, Proxy Classes and Type Conversion
    Web Services -- WCF vs. Standard
    C# WCF Service - Backward compatibility issue
    Document or RPC based web services
    How to easily consume a web service from PHP
    Timer-based event triggers
    How to pass enumerated values to a web service
    Homegrown consumption of web services
    How do I print an HTML document from a web service?
    How do I fill a DataSet or a DataTable from a LINQ query resultset ?