none
Same Role provider (ASP.NET Services database) for various WCF services

    Question

  • Hi there,

    Service Authetnication

    Have configured WCF service to implement authentication using AD(Active Directory), when a request comes from the client it is authenticated aginst active directory and either allow access or deny based on the credentials passed to the service.

    Authorization using ASP.NET Role provider

    Have implemented the method level authorization using SecurityPermission attribute, which checks the role data in ASP.NET Services database( in other words Membership database) against aspnet_roles, aspnet_Users_InRoles tables to allow / deny access to particular method.

    It works well with single instance of service, where the request is from mutliple client applicaitons.

    In the above implementation, WCF service is configured to use ASP.NET Membership database to implement authorization to authorize access to particular methods.

    Query

    Would like to know if it is feasible/best practice to utilise the same instance of ASP.NET Membership databse to implement Role based authorization on number of WCF services.

    [PrincipalPermission(SecurityAction.Demand, Role = "Admin")]
      public string GetData(int value)
    	{
    		return string.Format("You entered: {0}", value);
    	}
    

    WCF web.config

    <!-- ConnectionStrings section -->
    <connectionStrings>
    		<add name="AspNetServices" connectionString="Server=XXXXX;Database=aspnetdb;User ID=AspNetServicesuser;Password=password" providerName="System.Data.SqlClient"/>
    	</connectionStrings>
    
    <!- Membership, Role provider configuraiton -->
    <!-- Membership provider-->
    		<membership defaultProvider="WCFAspNetMembershipProvider">
    			<providers>
    				<clear/>
    				<add name="WCFAspNetMembershipProvider" connectionStringName="AspNetServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Clear" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
    			</providers>
    		</membership>
    		<!-- Role provider-->
    		<roleManager enabled="true" defaultProvider="FirstRoleProvider">
    			<providers>
    				<clear/>
    				<add connectionStringName="AspNetServices" applicationName="/" name="FirstRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
    			</providers>
    		</roleManager>
    		
    
    <!-- Serice Behavior, end points configuration -->
    	<system.serviceModel>
        <bindings>
          <wsHttpBinding>
            <binding name="MembershipBinding">
              <security mode ="Message">
                <message clientCredentialType ="UserName"/>
              </security>
            </binding>
    
          </wsHttpBinding>
    
        </bindings>
    		
    		<services>
    			<service name="Service" behaviorConfiguration="ServiceBehavior">
    				<!-- Service Endpoints -->
    				<endpoint address="" binding="wsHttpBinding" contract="IService">
    				
    				
    					<!-- 
           Upon deployment, the following identity element should be removed or replaced to reflect the 
           identity under which the deployed service runs. If removed, WCF will infer an appropriate identity 
           automatically.
         -->
    					<identity>
    						<dns value="localhost"/>
    					</identity>
    				</endpoint>
    				<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
            
    			</service>
    		</services>
    		<behaviors>
    			<serviceBehaviors>
    			
    				<behavior name="ServiceBehavior">
              <serviceCredentials>
                <userNameAuthentication userNamePasswordValidationMode ="MembershipProvider"
                  membershipProviderName ="WCFAspNetMembershipProvider"/>
              </serviceCredentials>
    					<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
    					<serviceMetadata httpGetEnabled="true" httpGetUrl="absolute"/>
    					<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
    					<serviceDebug includeExceptionDetailInFaults="false"/>
    				</behavior>
    			</serviceBehaviors>
    		</behaviors>
    	</system.serviceModel>
    
    
    
    

     

    To elaborate further, I would like to utilise same instance of ASP.NET membership database to implement role based authorization for various WCF services.

     


    Apriori algorithm [association rule]
    Monday, September 20, 2010 3:06 PM

All replies

  • Hello,

    yes you can share same membership and roles provider for several WCF services and I think it is good approach. There is no reason to have these data in separate database for each service. You just need to define single behavior and use it in all services (if they are in the same web application).

    Best regards,
    Ladislav

    Monday, September 20, 2010 7:51 PM
  • Hi Sukumar,

    Yes, you can use single ASP.NET membership provider instance for multiple WCF service applications, just like you can use single membership provider/role provider instance for multiple ASP.NET web applications. What you should take care is whether the membership account or role set is always synchronous between those appliations that use it.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Wednesday, September 22, 2010 3:49 AM
    Moderator
  • Thanks for valid responses.

    I would like to store different WCF services USERS and Roles in a single instance of Membership database. I hope that my initial query didn't explain this properly.

    To make it clear, I like to use the single instance of ASP.NET Membership database for multiple WCF Services, so that the users always stays the same where as the roles data changes between WCF Services.

    Example:- USER1 IN APPLICATION 1 IS EDITOR

                   USER1 IN APPLICAITON 2 IS ADMIN.

    Thanks,


    Apriori algorithm [association rule]
    Thursday, September 23, 2010 9:14 AM
  • Thanks for reply Sukumar,

    So I've got that the user account set is same between applications, while the role will vary between different applications though you want to store them in a single ASP.NET membership and role database instance, correct?

    I think the answer is still YES.  The ASP.NET membership and role provider supports a "ApplicationName" property and you can always expilicitly set an applicationName before you creating or accessing a membership user or role. This can ensure membership accounts or roles of different applications be stored and used within a single database instance without affecting each other:

    #RoleProvider.ApplicationName Property
    http://msdn.microsoft.com/en-us/library/system.web.security.roleprovider.applicationname.aspx

    #Always set the "applicationName" property when configuring ASP.NET 2.0 Membership and other Providers
    http://weblogs.asp.net/scottgu/archive/2006/04/22/Always-set-the-_2200_applicationName_2200_-property-when-configuring-ASP.NET-2.0-Membership-and-other-Providers.aspx


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Friday, September 24, 2010 2:03 AM
    Moderator
  • Thanks Steven.

    Yes, you got it right.

    Could you forward any resources/references that are implemented using single ASP.NET Membership data store in WCF Services please.

    I have single Web.config where different WCF services are running as explained below.

    Root level : Microsoft\

                                   \ServiceOne

                                   \ServiceTwo

     So the relevant services can be accessed using the service URL. Example:

    In order to access the service two the url will be http:\\microsoft\ServiceTwo.svc

    for ServiceOne it will be http:\\microsoft\ServiceTwo.svc

    I am aware that it is feasible to configure number of role  providers in Web.config and in code behind they are accessed.

    RoleProvider serviceOneRole = Roles.RoleProviders["Key"];
    

    To elaborate my query further, I would like to know

    1. Multiple role providers from different Services that are using single configuration file(Web.config).
    2. Is there a better approach where each service can be configured thorugh End Point or similar. So that each service can be configured to use same Role provider, where as the application name attribute segregates the roles in between.

    Please let me know , if my query is not clear. 


    Apriori algorithm [association rule]
    Friday, September 24, 2010 8:55 AM
  • Hi Sukumar,

    For using ASP.NET membership in WCF service, you can refer to the following articles:
    #How to: Use the ASP.NET Membership Provider
    http://msdn.microsoft.com/en-us/library/ms731049.aspx

    #Membership provider with WCF
    http://www.dotnetfunda.com/articles/article784-membership-provider-with-wcf-.aspx

    the basic steps is:

    ** add the membership provider instances in web.config file(just like what you do in ASP.NET web application).

    ** add reference to the certain membership provider instance in your WCF service's serviceBehavior.

    So the membership provider is specified at serviceBehavior setting, it is per-service based rather than endpoint based.

    BTW, for the "ApplicationName", you can explicitly specify it in <membership><add> ... element in web.config file so that you force a certain membership(or role) provider to use a certain ApplicationName as default application.

    #providers Element for membership (ASP.NET Settings Schema)
    http://msdn.microsoft.com/en-us/library/6d4936ht.aspx


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    • Marked as answer by Mog Liang Monday, October 04, 2010 7:16 AM
    • Unmarked as answer by Sukumar Raju Friday, May 20, 2011 3:41 PM
    Monday, September 27, 2010 2:37 AM
    Moderator
  • Hi Sukumar,

    For using ASP.NET membership in WCF service, you can refer to the following articles:
    #How to: Use the ASP.NET Membership Provider
    http://msdn.microsoft.com/en-us/library/ms731049.aspx

    #Membership provider with WCF
    http://www.dotnetfunda.com/articles/article784-membership-provider-with-wcf-.aspx

    the basic steps is:

    ** add the membership provider instances in web.config file(just like what you do in ASP.NET web application).

    ** add reference to the certain membership provider instance in your WCF service's serviceBehavior.

    So the membership provider is specified at serviceBehavior setting, it is per-service based rather than endpoint based.

    BTW, for the "ApplicationName", you can explicitly specify it in <membership><add> ... element in web.config file so that you force a certain membership(or role) provider to use a certain ApplicationName as default application.

    #providers Element for membership (ASP.NET Settings Schema)
    http://msdn.microsoft.com/en-us/library/6d4936ht.aspx


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.


    Thanks very much Steven.

    I have use ASP.NET Membership provider in ASP.NET applications and have written few aritcles on my blog on how to install ASP.NET membership and configuring web applications to utilise the membership database to implment authenticaiton and authorization in application. http://weblogs.asp.net/sukumarraju

    Having relative/moderate knowledge on ASP.NET Membership databses and API , I strongly believe that it is quite feasible to utilise the same Membership database for number of WCF services. Being a newbie to WCF services, I am looking for any best article or resource that would explain how different/number of WCF services can be configured to utilise the same membership database.

    Your help and insight is appreciated.

    Regards,

    sukumarraju


    Apriori algorithm [association rule]
    Monday, September 27, 2010 9:02 AM
  • Thanks for reply Sukumar,

    Based on my research, so far all the membership provider related WCF articles or references are talking about how we can switch to use the membership provider(to replace the default authentication provider for username auth) and there is no definte limitation on number or difference between ASP.NET and webservice application. Actually, just like membership provider can be used in non-ASP.NET application context(in console or winform application), WCF just utilize it as an alternative authentication db storage. And all the configuration on the membership provider itself should be usable in WCF service too.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Wednesday, September 29, 2010 3:07 AM
    Moderator
  • Apologies for unmarking the answers due to lack of solution.

    Objective is to use the same instanace of ASP.NET Membership database with single (say Security service). Security service can be utilised by number of clients(apps).

    Would like to know how to configure WCF Service to use different Membership configuration when respoding to different client requests.

    Example:

    Client X sends request to access the method IsUserInRoles("username"), WCF Security service should utilise Membership database that is relevant to Client X.

    Note that Authentication is implemented using Active Directory and working well. Such a way any client can utilise Validate() , IsUserInActiveDirectoryGroup("username") methods from Service to implement authentication.

    When it comes to Authorization it is required to serve different clients(applications) by choosing different Membership configuration from service Web.config.

    It does not seems to be feasible from service end points. What are the opitons to achieve the above.

    Your help is appreciated.


    Apriori algorithm [association rule]
    Friday, May 20, 2011 3:49 PM
  • Rather than getting it work from End point or Behaviour the functionality achieved by passing applicationname from client side while accessing particular authorization methods as shown below.

     

    ///Service method with parameter applicationname
    public bool IsUserInRole(string role, string applicationname)
        {
          //Find the roleProivder based on the applicationname property
          RoleProvider roleProvider = Roles.Providers.Cast<RoleProvider>().Single(s => s.ApplicationName.ToLower() == applicationname);
    
          return Roles.IsUserInRole(role);
        }
    

    Client do the following:-

    1. Create a reference

    2. check whether particular user is in specified Role

    3. Provide data from data service or deny with user friendly message.

    using SecurityService;
    using DataService;
    
    SecurityService.Service1Client securityClient= new SecurityService.Service1Client;
    
    DataService.Service1Client dataClient= new DataService.Service1Client;
    
    securityClient.Open();
    
    Try
    {
    if(securityClient.IsUserInRole("Admin","applicationName"))
    {
       //open data service
       dataClient.Open();
    
       gvEmployees.DataSource = dataClient.GetAllEmployees();
       gvEmployees.DataBind();
    
    }
    }
    
    Catch(ServiceException)
    {
      //close client references
      securityClient.Close();
      dataClient.Close();
    }
    

    Valid suggestions on this approach will be greatly appreciated.


    Apriori algorithm [association rule]
    Tuesday, May 24, 2011 1:36 PM