none
WCF service needs role access method security

    Question

  • I have a wcf service setup for windows authentication. I have a silverlight application that allows users to navigate the web pages based on Active Directory windows authentication and their group roles. The problem I am having is that my wcf service does not allow for role based group security. Because of this, any active directory user is able to call any of the wcf service's web method no matter what there group role is. I need to setup my wcf service to only allow users in certain roles to call a subset of the services web methods. Please help.

    Thanks,

    Steve Holdorf

    Thursday, February 02, 2012 6:00 PM

Answers

  • Hi holdorfs,

    As far as I know, you can make use of the PrincipalPermission attribute. It is an easy way to demand that an invoker of a Microsoft .NET Framework method be within a specific role.  In order to help you learn how to use this attribute, please check the link below:

    Securing Your Silverlight Applications 

    There is a code sample which demonstrates how this might be applied to a ServiceOperation in WCF where the calling user must be part of the “OrderApprovers” role:

    [PrincipalPermission(SecurityAction.Demand, Role = "OrderApprovers")]
    public void ApproveOrder(int orderId)
    {
      OrderManag-er.ApproveOrder(orderId);
    }
    Wednesday, February 08, 2012 12:49 AM

All replies

  • WCF RIA Services has security built in, so since you are asking I am guessing you are using plain WCF and not WCF RIA Services?

    Thursday, February 02, 2012 6:13 PM
  • I found one article which may be helpful, http://msdn.microsoft.com/en-us/magazine/cc948343.aspx

    If you need additional help and you are using WCF, not WCF RIA Services, then the correct forum is http://social.msdn.microsoft.com/Forums/en-US/silverlightweb/threads//1?Accessing+Web+Services+with+Silverlight.

    Thursday, February 02, 2012 6:17 PM
  • Thanks for your quick response. You are correct I am using wcf without ria services. I was reading an article in which attributes were being set on web methods so that groups allow users in that group role to access the web method. First, is this possiblle for wcf without ria services and second if this is not possible without ria services the what is the best way to do this with plan wcf?

     

    Thanks,

     

    Steve Holdorf 

    Thursday, February 02, 2012 7:28 PM
  • OK. Currently I have a class that I create in the silverlight GUI called ServiceAccessor.cs Now this class has two properties named UserName and AccessLevel. What I am doing is setting the ServiceAccessor.UserName = WindowsIdenity.CurrentUser and the ServiceAccessor.AccessLevel to the an integer Enum that represents the role level of the user's group (i.e. Administrators). Now, when I make my WCF call I do it as follows:

    MainPage.xaml.cs:

    ServiceAccessor sa = new ServiceAccessor();

    sa.UserName = WindowsIdenity.CurrentUser

    sa.AccessLevel = Level.Admin; 

    src.GetDataAsync(sa);

     

    WCF Service Method:

     

           public string GetData(ServiceAccessor sa)
            {
                if (sa.AccessLevel >= Level.Admin)
                {
                    if (Roles.IsUserInRole(sa.UserName, "Administrator"))
                        return "1";
                    else
                        return "0";
                }
                return "-1";
            }

    This code allows me to prevent hackers from mocking-up a front end and call my web methods outside of my applications. Is there a better way of doing this?

    Thanks,

     

    Steve Holdorf

     


     

    Sunday, February 05, 2012 12:33 PM
  • Maybe, again you are in the wrong forum, you are much more likely to get better help in the correct forum.

    Monday, February 06, 2012 9:58 AM
  • Hi holdorfs,

    As far as I know, you can make use of the PrincipalPermission attribute. It is an easy way to demand that an invoker of a Microsoft .NET Framework method be within a specific role.  In order to help you learn how to use this attribute, please check the link below:

    Securing Your Silverlight Applications 

    There is a code sample which demonstrates how this might be applied to a ServiceOperation in WCF where the calling user must be part of the “OrderApprovers” role:

    [PrincipalPermission(SecurityAction.Demand, Role = "OrderApprovers")]
    public void ApproveOrder(int orderId)
    {
      OrderManag-er.ApproveOrder(orderId);
    }
    Wednesday, February 08, 2012 12:49 AM