tags:

views:

30

answers:

1
+2  Q: 

WCF authentication with multiple providers

There is the following design: the back-end implemented as WCF, the public front site and two intranet sites (all three talking to the back-end). I believe that authentication on the sites is not enough (i.e. passing ClientID to WCF in each request as a parameter) and i want to protect my back-end (WCF) with authentication to perform double-check and have PrincipalPermission on the methods with roles specified.

I'm sure that identity names from both providers do not cross (public logins are digits only and the intranet will be something like 'DOMAIN\Login'). The front site uses forms auth and its provider returns GenericPrincipal. The intranet sites use Windows auth and i have WindowsPrincipal attached to Page.User.

Is it possible to configure WCF to use two membership providers (custom one that the front site uses and Windows) out of the box, without writing another custom code? Is it important how my WCF is hosted? Currently it's windows service. Do i need to switch to IIS 7?

+1  A: 

I don't think so - you can have only one membership provider. But you can have a custom provider that can authenticate against two different stores based on credentials presented. For example, it can check if user name is like domain\login then try against active directory otherwise try against web site provider.

Yet another idea is to have two different end points for the service. Each will be configured with specific provider. Service implementation would remain same - inside, you have to go for claim based authorization. Check this article for more info: http://www.theserverside.net/tt/articles/showarticle.tss?id=ClaimsBasedSecurityModel

VinayC  2010-10-15 08:10:08
Excellent article, the best i've read so far! I didn't know that each end point can be configured to use specific provider so your idea looks like good solution to me. Thanks!
UserControl  2010-10-15 11:28:30
@UserControl, there is also part2 of the article, just realized that part1 didn't have the link. Here's it: http://www.theserverside.net/tt/articles/showarticle.tss?id=ClaimsBasedSecurityModel2
VinayC  2010-10-15 13:40:38
Thanks a lot, bookmarked it!
UserControl  2010-10-15 14:22:50

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?