none
WCF 3.5 and RESTFul Authentication

    Question

  • I am trying to write a RESTFul WCF 3.5 WebService. I already have a Custom Membership provider for authentication for an ASP.NET Web Site. I would like to reuse this custom membership provider in the Context of REST.

    How would I go about that with the webHttpBinding? I am Hosting in IIS version 6 or version 7 (whatever will work).

    This service MUST be able to be called by non-Microsoft clients. It must not use SOAP or WS* because we want a RESTFul API.

    How would I go about plugging my membership provider into WCF using IIS? Also how would client code authenticate and be kept authenticated?

    What I don't want is to be passing a username and password around like Basic HTTP Auth (however, I will be using SSL). I basically want to have the user login once using perhaps a login method and  then have a parameter that has a session id of some sort? My web server is 'stateless', so all I really want is to make sure the user is authorized, and have a properly consutrcted membership object, to access their name and other properties I have available without hitting the database on multiple calls.

    Any help would be great! Thanks!
    Wednesday, July 16, 2008 4:45 PM

Answers

  • Hi Brian,

     

    Two thing that are worth mentioning:

     

    1. Basic authentication in IIS always use windows accounts (It can not be used with accounts stored in a database), unlesss you decide to use this custom module, http://www.codeplex.com/CustomBasicAuth

     

    2. If you use basic authentication, the service should receive the username/password in each call (As you said, SSL should be used). You could probably create an encrypted cookie (Something similar to the session id you mentioned) with the credentials (Using FormsAuthentication perhaps) to avoid sending the credentials every time. However, in order to use this approach you have to resolve two things

     

    a. How to initially authenticate the user and create the cookie. You could have a service operation (Login) configured with SSL, it authenticates the user and generates the cookie.

    b. The cookie should be sent for any consecutive calls to other service operations.

    c. You can have an authorization policy configured for the rest of the services that uses Forms Authentication to validate the cookie and set up the right credentials in the WCF context.

     

    Does this make sense to you ? 

     

    Regards,

    Pablo.

     

     

     

    Friday, July 18, 2008 1:14 PM

All replies

  • Another thought... Can't I just use Basic HTTP Auth and build an IPrincipal each time. I know it would hit the database each time. But with SSL transport security would'nt it be just as secure?

    This seems like a very REST like thing to do. You could do some sort of cache in the Application Context if performance was a problem... That would still allow for Web Gardens...

    Anyone else with some insight? I must say the WCF support for REST in 3.5 is fairly simple! Good job guys!
    Thursday, July 17, 2008 3:09 AM
  • Hi Brian,

     

    Two thing that are worth mentioning:

     

    1. Basic authentication in IIS always use windows accounts (It can not be used with accounts stored in a database), unlesss you decide to use this custom module, http://www.codeplex.com/CustomBasicAuth

     

    2. If you use basic authentication, the service should receive the username/password in each call (As you said, SSL should be used). You could probably create an encrypted cookie (Something similar to the session id you mentioned) with the credentials (Using FormsAuthentication perhaps) to avoid sending the credentials every time. However, in order to use this approach you have to resolve two things

     

    a. How to initially authenticate the user and create the cookie. You could have a service operation (Login) configured with SSL, it authenticates the user and generates the cookie.

    b. The cookie should be sent for any consecutive calls to other service operations.

    c. You can have an authorization policy configured for the rest of the services that uses Forms Authentication to validate the cookie and set up the right credentials in the WCF context.

     

    Does this make sense to you ? 

     

    Regards,

    Pablo.

     

     

     

    Friday, July 18, 2008 1:14 PM
  • Thanks, Pablo...

    We actually found that web site right after I posted yesterday. Well, anyway, we had a horrid time figuring out how to plug everything in. It seems like I have more config settings now than code .

    We also had to comment out SetPrincipal in his code because we set the Principal in our Business Membership provider. The reason is his SetPrincipal was casting our Principal to a generic Principal (causing CSLA to blow up).

    Also CustomBasicAuth module has built in cache with the ability to set time-outs. This is great as it won't hit our database as much. Also this is fairly secure in the way he implemented it because he hashes the password in the cache.

    Very nice module! We have yet to get it working in IIS7 (have not tried yet). But now we can create a REST Service and authenticate using our CSLA Business Objects!!! Yay!

    This authentication business is just waaaaayyy tooo hard. It's nice that Microsoft built in some REST support. But to not have easy authentication in WCF for REST is an oversite, that in my opinion, makes the REST module essentially useless for many of us. Of course WCF has, and IIS has, a great modification capability that allows us to subvert this default behavior... So, in the end we got what we wanted... But not after being frustrated and overwhelmed! No one likes hoop jumping!

    Thanks for your quck reply Pablo and pointing us in the right direction. It's nice to know we are going down the right path.

    We are happy to say that we even got Windows Mobile and J2ME / JavaMe clients authenticating with our basic REST Service! Wooohoo!

    It is possible!


    Friday, July 18, 2008 5:14 PM
  • Would you like to share how you did it? Some code would be nice :)
    Friday, May 15, 2009 12:19 AM
  • Ok, I do one basicAuthentication using a customModule, I populed my IPrincipal and IGeneric in the server and the WCF context, so, I have one basic authentication that work in Restful and my webServices endpoints and the transport authentication, I will protect using SSL, ok, but when I try acess this using Silverlight the big surprise, all the time one Popup asking the username and password, I cannot find one workaround to this yet, someone have any Ideea?


    Juliano
    Friday, September 04, 2009 4:44 PM
  • Hi pple!

    This is a very interesting thread to me at the moment. I am implementing a very similar project..... but of cors I am having some small problem(s).

    Let me explain my setup:

    • A basic MVC website which authenticates the user (normal login page) against the standard Membership roles database (ASPNETDB), will be using SSL to authenticate in production.
    • I have a WCF Application (using REST methods) which uses a class that implements Microsoft.ServiceModel.Web.WebServiceHost2Factory ie. webHttpBinding. Note that this WCF application does not run under the MVC project, it runs independently.
    Once the user logs in successfully from the MVC website, any request (from javascript: non asp.net ajax, could be any framework) made to the WCF service need to be seamless. So what I'm doing is sending the .ASPXAUTH cookie to the WCF service to prove the client is authenticated, once within the WCF server, I Intercept the cookie and use Membership.Decrypt on the .ASPXAUTH value and get the ticket, then create an Identity and Principal so I can authorize according to roles etc.

    Now, everything works beautifully when working locally on my dev machine, I have the WCF service working on one port and the MVC website on another port, I can call the WCF server without a problem from the MVC website using plain javascript which is exactly what I need........BUT.....

    ...when I deploy to one of our dev servers, Win2008 running IIS7, it does not work. The symptom is, after authenticating the user from MVC, then I try to call the WCF service through js, the ajax request/response hangs, even if I try to access the url directly from the browser address bar, the WCF server never responds. I checked the event logs but there are no exceptions recorded. So I tried debugging by remarking line by line and noticed that it worked as soon as remarked Membership.Decrypt command. Weird, it works perfectly locally on my machine, but not after deploying to the server???????? I can't figure it out.

    Other things that might HELP you HELP me :)
    • I am deploying both the MVC and WCF apps on the same domain under seperate virtual directories - because of crossdomain issues from javascript.
    • Before you ask, YES, I have setup up the same machineKey entry in both the MVC and WCF web.config files.

    Am I doing something wrong? Am I missing out on some setting on the server?

    If anybody could help me with this problem, it would be greatly appreciated.


    take it easy
    bruce
    Cbr600rr
    Friday, November 20, 2009 12:17 PM
  • good question. Thanks
    Frank Xu Lei--谦卑若愚,好学若饥
    专注于.NET平台下分布式应用系统开发和企业应用系统集成
    Focus on Distributed Applications Development and EAI based on .NET
     

    老徐的网站】:http://www.frankxulei.com/

    微软WCF中文技术论坛
    微软WCF英文技术论坛

    Windows Azure中文技术论坛

    Tuesday, February 15, 2011 1:16 AM