none
Regarding Securing WCF service with Forms Authentication RRS feed

  • Question

  • i was reading a article on Securing WCF service with Forms Authentication but few things was not clear to me. the article url as follows http://dotnetspeak.com/2012/01/securing-wcf-with-forms-authentication

    the person design rest based wcf service. please see this code.

    [WebGet(UriTemplate = "/GetPeople", RequestFormat = WebMessageFormat.Json, ResponseFormat = WebMessageFormat.Json)]
            public List<Person> GetPeople()
            {
                using(var ctx = new Context())
                {
                    ctx.Configuration.LazyLoadingEnabled = false;
                    ctx.Configuration.ProxyCreationEnabled = false;
                    return ctx.People.OrderBy(one => one.LastName).ThenBy(two => two.FirstName).ToList();
                }
            } 

    1) see this line WebGet(UriTemplate = "/GetPeople" when my function name was GetPeople then why do i need to again specify my function name here through webget ?

    2) if we specify different name for GetPeople like WebGet(UriTemplate = "/FetchPeople" so when client will create proxy then he will get the function name as GetPeople or FetchPeople

    3) form authentication has been used to protect the wcf service but if anyone go to the article link then they notice that never user was verified from each method. just first time user provide credentials and call function. in your asp.net we always check in the page load that user is authenticated for private pages. so tell me is it possible in wcf ?

    4) see this code

    [WebGet(UriTemplate = "/GetPerson?id={id}", RequestFormat = WebMessageFormat.Json, ResponseFormat = WebMessageFormat.Json)]
            public Person Get(int id)
            {
                using (var ctx = new Context())
                {
                    ctx.Configuration.LazyLoadingEnabled = false;
                    ctx.Configuration.ProxyCreationEnabled = false;
                    return ctx.People.Find(id);
                }
            } 

    see the above line [WebGet(UriTemplate = "/GetPerson?id={id}" function name is get but it was given another name called GetPerson through WebGet. what does it mean. how client will call this function ? when client will create proxy then what function name will appear at intellisense. please explain.

    5) see the form auth related code in config file

    <?xml version="1.0"?>
    <configuration>
        <connectionStrings>
            <add name="SecuredServiceDemo"
               connectionString="Server=.;Integrated Security=SSPI;Database=SecuredServiceDemo"
               providerName="System.Data.SqlClient" />
        </connectionStrings>
        <system.web>
            <compilation debug="true" targetFramework="4.0" />
            <authentication mode="Forms">
            </authentication>
            <authorization>
                <deny users="?"/>
            </authorization>
        </system.web>
    
        <location path="LoginService.svc">
            <system.web>
                <authorization>
                    <allow users="?"/>
                </authorization>
            </system.web>
        </location>

    when we set the authentication mode is Forms then there we also specify our login page name but he did not specify the login page name rather he protect LoginService.svc using location tag. so when anyone will try to access LoginService.svc file then what file will be invoke on the behalf of login page?

    6) if we avoid calling LoginService.svc here but instead if i try to call CustomService.svc then can we call all web service method. if it would be not possible then why ? because CustomService.svc is not protected. so we can directly call any function from CustomService classes.

    please read all my points and guide me in detail accordingly. thanks

    Thursday, May 8, 2014 12:39 PM

Answers

  • Hi,

    >>1) see this line WebGet(UriTemplate = "/GetPeople" when my function name was GetPeople then why do i need to again specify my function name here through webget ?

    You can use any UriTemplate as you want. For example WebGet(UriTemplate = "/abc"). Then using the http://.../abc, you can call the service method GetPeople(). 

    >>2) if we specify different name for GetPeople like WebGet(UriTemplate = "/FetchPeople" so when client will create proxy then he will get the function name as GetPeople or FetchPeople

    If your UriTemplate is "/FetchPeople", then the function name will be GetPeople.

    >>3) Form authentication has been used to protect the wcf service but if anyone go to the article link then they notice that never user was verified from each method. just first time user provide credentials and call function. in your asp.net we always check in the page load that user is authenticated for private pages. so tell me is it possible in wcf.

    I am not sure if I have misunderstand you, but tt is possible to check if the user is authenticated every time. For more information, please try to refer to:
    #How to determine user is authenticated in WCF service:
    http://stackoverflow.com/questions/14093765/how-to-determine-user-is-authenticated-in-wcf-service .

    >>4)see the above line [WebGet(UriTemplate = "/GetPerson?id={id}" function name is get but it was given another name called GetPerson through WebGet. what does it mean. how client will call this function ? when client will create proxy then what function name will appear at intellisense. please explain.

    The GetPerson is just the name, we can use any others, then the function name will still be Get.

    >>5)when we set the authentication mode is Forms then there we also specify our login page name but he did not specify the login page name rather he protect LoginService.svc using location tag. so when anyone will try to access LoginService.svc file then what file will be invoke on the behalf of login page?

    It will call the LoginService service with the login method.

    >>6) if we avoid calling LoginService.svc here but instead if i try to call CustomService.svc then can we call all web service method. if it would be not possible then why ? because CustomService.svc is not protected. so we can directly call any function from CustomService classes.

    If the CustomService uses no security authentication, then you can call it. But if it uses the security authentication, then you can not call it without authentication.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, May 9, 2014 7:29 AM
    Moderator
  • Hi,

    The UriTemplate is part of the Uri. We can use anything we like in the UriTemplate.

    For example when creating a wcf service, by default the Uri address will be http://localhost:8080/YourServiceName

    Then we can modify it in the config file as http://localhost:8080/YourServiceName/ss or http://localhost:8080/YourServiceName/asbcc just as you want.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, May 15, 2014 2:00 AM
    Moderator

All replies

  • Hi,

    >>1) see this line WebGet(UriTemplate = "/GetPeople" when my function name was GetPeople then why do i need to again specify my function name here through webget ?

    You can use any UriTemplate as you want. For example WebGet(UriTemplate = "/abc"). Then using the http://.../abc, you can call the service method GetPeople(). 

    >>2) if we specify different name for GetPeople like WebGet(UriTemplate = "/FetchPeople" so when client will create proxy then he will get the function name as GetPeople or FetchPeople

    If your UriTemplate is "/FetchPeople", then the function name will be GetPeople.

    >>3) Form authentication has been used to protect the wcf service but if anyone go to the article link then they notice that never user was verified from each method. just first time user provide credentials and call function. in your asp.net we always check in the page load that user is authenticated for private pages. so tell me is it possible in wcf.

    I am not sure if I have misunderstand you, but tt is possible to check if the user is authenticated every time. For more information, please try to refer to:
    #How to determine user is authenticated in WCF service:
    http://stackoverflow.com/questions/14093765/how-to-determine-user-is-authenticated-in-wcf-service .

    >>4)see the above line [WebGet(UriTemplate = "/GetPerson?id={id}" function name is get but it was given another name called GetPerson through WebGet. what does it mean. how client will call this function ? when client will create proxy then what function name will appear at intellisense. please explain.

    The GetPerson is just the name, we can use any others, then the function name will still be Get.

    >>5)when we set the authentication mode is Forms then there we also specify our login page name but he did not specify the login page name rather he protect LoginService.svc using location tag. so when anyone will try to access LoginService.svc file then what file will be invoke on the behalf of login page?

    It will call the LoginService service with the login method.

    >>6) if we avoid calling LoginService.svc here but instead if i try to call CustomService.svc then can we call all web service method. if it would be not possible then why ? because CustomService.svc is not protected. so we can directly call any function from CustomService classes.

    If the CustomService uses no security authentication, then you can call it. But if it uses the security authentication, then you can not call it without authentication.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, May 9, 2014 7:29 AM
    Moderator
  • u said : 2) if we specify different name for GetPeople like WebGet(UriTemplate = "/FetchPeople" so when client will create proxy then he will get the function name as GetPeople or FetchPeople

    if the function name would be Getpeople then why should we mention FetchPeople in uritemplate?

    what we mention in uri template is it function alias name or does it mean different?

    Monday, May 12, 2014 7:30 PM
  • Hi,

    The UriTemplate is part of the Uri. We can use anything we like in the UriTemplate.

    For example when creating a wcf service, by default the Uri address will be http://localhost:8080/YourServiceName

    Then we can modify it in the config file as http://localhost:8080/YourServiceName/ss or http://localhost:8080/YourServiceName/asbcc just as you want.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, May 15, 2014 2:00 AM
    Moderator