ASP.NET to WCF - passthrough security?

Question

I have a MVC website that sits on top of a WCF service. The WCF service is also accessible to the internet with username/password authentication using message security and certificates. This is setup and working.

Both the website and the service use the same membership store, using the membership API.

A user can log onto either the website or the service using the same credentials. However, when the website calls the service, it needs to pass the credentials of the currently logged on user. I can get the username from

Membership.GetUser().UserName

but I can't get the password!

Is there another way to essentially pass the website user credentials to the service?

Any help much appreciated...

Answer 1

Hello,

this is very strange architecture. Why to authenticate user twice? Just set up different endpoint (net.pipe) for your MVC and avoid second authentication. If you need to know authenticated user on the service as well you have two choices dependend on the trust to your MVC application:

1. Send the user name as a custom message header. Cons: If a hacker bypass your authentication she can call your service with any user name.
2. Don't authenticate user directly in MVC. Instead always authenticate user in WCF and create custom membership provider for MVC which will call authentication service. The service will also generate token for your authenticated user and each operation will validate that token. Cons: Complexity.

Edit: There is related post with similar question. You can find there another suggestions.

Best regards, Ladislav