What is the best way to secure ADO.NET data services? Has anyone used this in production, if yes what security options have you used?
Do you mean secure individual query types or the entire service?. If the entire service, then you can use the standard IIS methods of securing, such as Windows Authentication. In a controlled Windows environment, where a web service is consuming the services, you can set up a single domain ID to be the authorized user between boxes. Use SSL of course to be secure data encryption-wise.
Here is a blog entry that explains in depth how to secure an ADO .NET Data Service.
@tbreffni posts a good blog entry. In addition to that within your ado.net data service you set entity access rules to control how access is provided for the different entities in the underlying entity data model.
Assuming you have code as follows:
public class Northwind : DataService<NorthwindEntities>
{
public static void InitializeService(IDataServiceConfiguration
config)
{
config.SetEntitySetAccessRule("*", EntitySetRights.All);
}
}
the SetEntitySetAccessRule method allows you to reference either the entire entity model or just a specific entity set and then define permissions based on the EntitySetRights enumeration. The following values are in the enumeration:
None Denies all rights to access data.
ReadSingle Authorization to read single data items.
ReadMultiple Authorization to read sets of data.
WriteAppend Authorization to create new data items in data sets.
WriteReplace Authorization to replace data.
WriteDelete Authorization to delete data items from data sets.
WriteMerge Authorization to merge data.
AllRead Authorization to read data.
AllWrite Authorization to write data.
All Authorization to create, read, update, and delete data.
A walkthrough for using the Microsoft ADO.NET Services walks through this process here. The EntitySetRights enumeration is documented here.