tags:

views:

543

answers:

2
Q: 

Authenticating WCF Endpoint request though multiple "Stores"

Can a single WCF Service endpoint be set up to authenticate against multiple Authentication stores? i.e. if UserName and Password supplied check Custom DB, otherwise try Windows Auth.

Background:

I have WCF Service A which is injected with a client proxy to WCF Service B. Service B could have a dependency on Service C etc.

A User request to Service A comes in and is authenticated using a custom UserNamePasswordValidator, and a ClaimSet is built using a custom implementation of IAuthorizationPolicy.

The authentication succeeds and the service operation on A is invoked. This operation makes a call to Service B via the injected proxy.

The Service B request then goes through the Auth/Authz stack but fails because no credentials have been set. As Service A called Service B I trust it so want the authorization to succeed without having to pass around the User Name and Password of the original caller.

However it is possible that Service B can be called directly by a User with a username and password, so it must support both methods of authentication.

A: 

I'm pretty sure support for multiple credential types on one endpoint does exist. It might have been added with the Geneva framework, so I would look into that. This article mentions having an STS authenticate multiple credential types, so I would assume there is a way to do it with a normal service too without an STS.

When I needed to have multiple 'keys' to authenticate with, I made a custom ClientCredential class instead.

Sorry for the short answer, but I need to leave home to get to work... Work is such a hindrance to SO time :)

rally25rs  2009-03-20 12:14:42
A: 

I managed to get this response from a contact at Microsoft:

You can't have different security mechanisms on a single endpoint, you'd have to expose a separate endpoint for each security protocol you need as each one needs a separate binding configuration since the authentication mechanism is part of the endpoint definition.

Multiple security modes on a single endpoint is something that's supposed to be coming with .NET 4.0.

crowleym  2009-03-20 15:31:52

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security