.NET WCF permissions

Question

I have setup a .NET WCF web service that will expose some methods to create/update email alerts for different contactsIds. The webservice is going to live behind the firewall.

My fear is that if we expose a call like:

bool SetAlertTemplate(int alertId, int templateId);

One of the client websites could modify unintentionally an alert that does not belong to the contactId that is using the website.

Even if i use:

bool SetAlertTemplate(int alertId, int contactId, int templateId);

It could create a problem in the future if we expose the webservice to the public. Where anyone could modify any alert.

What is the best way to expose a webservice and be sure that the client has permissions to modify the alert of a contactId, and hopully not sending these parameters with every call.

Answer 1

Configure your WCF service to translate the authenticated user to a proper IPrincipal instance. This ensures that in the rest of the call stack, Thread.CurrentPrincipal will represent the authenticated user.

From your description it sounds like you need to protect assets (alerts), which means that you will need to implement Access Control Lists (ACLs) on the assets.

Whenever anyone attempts to modify the asset, you can check whether Thread.CurrentPrincipal is allowed to modify that particular asset according to its ACL.

Related answers:

• http://stackoverflow.com/questions/2030177/permissions-design/2030825#2030825
• http://stackoverflow.com/questions/2064191/architechture-of-service-application-in-wcf/2064268#2064268
• http://stackoverflow.com/questions/2093983/how-to-save-user-object-in-wcf/2094067#2094067