Windows Authentication and Authorization

Question

 

Hi,

 

Need some help over authentication and authorization framework we can consider for following requirements

 

Infrastructure:

UI- Windows forms

Middle tier - WCF Services provides services to UI layer

DB- SQL

 

Intranet application

User information will be maintained in Active Directory and DB

 

Authentication:

 

I am using wsHttpBinding with secure conversation enabled with windows client credentials. It seems to work fine..( it authenticates all windows users configured in Active Directory)

 

My requirement is that I should provide services to windows users who are members of predefined group.. ex: Group names "domainName/AppUsers" ( configured in Active Directory)

 

Can We accomplish this in WCF authentication ??

 

 

 

Authorization requirements

 

1. There will be different types of forms ( ex: Form to enter Order info, form to enter payment info) 

 

2. Each form will have contacts defined and thier roles mentioned in it... ( ex: For Order#1 User A is a Power user, User B is a viewer. In Order# 2 USER C is power user, USER A is a Viewer, In Payment# 1 USER X is a power user,etc)

 

 

3. A person can assume different roles in different forms( even in same type of form)  ( ex: UserA can be power user in Order#1 and he can be just Viewer in ORDER# 2) [ roles but role of a user changes from Form to Form ] 

-  my understanding is that this requirement rules out roles based on windows groups

 

4.  Each form type has differnt rules for a role ( ex: Order form will display all fields for POWER USER and disable all fields for VIEWER USER.... PAYMENT form will display all fields for POWER USER and disable only few fields for VIEWER USER... In ORDER form POWER User should be able to edit and delete where as VIWER can just view it...)

- Each form will have set of privileges defined for a role and these needs to be customizable ( in all Order forms POWER User will have same set of privileges, all Viewers will have same set of privileges,etc..)  

 

When Presentation layer(UI) calls the WCF requesting for the service.. We should be able authenticate( as of now authenticating using secure negotiation of windows credentials) ,... authorize it and provide corresponding response to the Presentation layer...

ex:

If VIEWER calls DELETE method on ORDER form-> WCF service should send response back saying that he/she is not authorized to delete order...

 

If VIWER user calls a method to display a ORDER form-> WCF should return all the data that needs to be displayed in ORDER form as well as information regarding ( which fields the user should be able to edit( enabled in UI) and which fields should be hidden..etc)

 

I would appriciate if any one can share thier expertise and point me in the right direction on chooseing right methodology to implement it..

Answer 1

Windows security can handle all of this for you.  Just specify windows authentication then look at the IPrincipal for the current identity.  There is a method called IsInRole that you can call to check if a user is in a role.  You can use this to help you show/hide fields, enable saving, etc.

 

http://msdn.microsoft.com/en-us/library/system.security.principal.iprincipal_members.aspx

 

Answer 2

Thank you for your response.. I would appriciate if you could provide more details on this...

 

1. How could I authenticate users who belongs to specified user group [ Secure conversation should not establish secure session when user does not belong to a specified group [ maintained in Active Directory]

 

2. As user roles changes from form to form[ ex: in Order 1 user a Can be power user and in Order 2 he/she can be just viewer... here Order is a form type] .. how do we assign roles dynamically..

 

There might be case where in In User interface user opens Order 1 and Order 2 and switches between them and invokes operations...

 

 

Any ideas regarding this would be appriciated..

 

Answer 3

Any other ideas on this????

 

Thanks..