none
Authentication and authorization WCF service RRS feed

  • Question

  • Like to have architectural design suggestions/help.

    Objective is to design and implement a WCF service, which is stand alone with various methods to Authenticate (Windows: Active Directory) and authorization (using SQL role provider).

    Authentication

    Client applications may directly call method/s that takes username/password to validate and return whether he/she is authenticated or in particular group or not.

    Authorization

    Number of WCF services(application based) should be able to call above A&A service to implement authorization, may be using [PrincipalPermission(SecurityDemand....Role="Admin")] on top of method.

    Here client application calls application based WCF service, which inturn calls A&A WCF service with few parameters(ApplicationName, UserName etc) to return if particular User.IsInRole == True or not.

     

    Any design level help and references are greatly appreciated.

    Thanks,

     


    Apriori algorithm [association rule]
    Wednesday, May 11, 2011 5:05 PM

All replies

  • Check this document for some guidance and walkthroughs.
    Wednesday, May 11, 2011 8:53 PM
  • Check this document for some guidance and walkthroughs.

    Thanks, already aware of this.

    I think that the good design is:

    stand alone Authentication and authorization which serves number of methods to authenticate the end user and authorize.

    Client instantiate server client to implement A&A with in the application , data will be provided from another WCF service.

    suggestions are appreciated.


    Apriori algorithm [association rule]
    Thursday, May 12, 2011 7:49 AM
  • Yes, that makes sense. Try to keep as much of the authentication and authorization in the configuration and WCF attributes. If you still have a situation, that you need some custom logic to authenticate or authorize, use the out of band handlers like OperationInvokers and MessageInspectors to do all that implicitly, out of band and by implementing endpoint behaviors, rather than you having to put code in each and every service method .
    Thursday, May 12, 2011 1:45 PM
  • Yes, that makes sense. Try to keep as much of the authentication and authorization in the configuration and WCF attributes. If you still have a situation, that you need some custom logic to authenticate or authorize, use the out of band handlers like OperationInvokers and MessageInspectors to do all that implicitly, out of band and by implementing endpoint behaviors, rather than you having to put code in each and every service method .


    Appreciate your valid response.

    As shown in below configuration file, trying to configure the service to use different membership providers that point to same database.

    It is not feasible to have behaviorConfiguration attribute in End Point configuration. How this can be achieved?

    Objective is to use different membership configuration with end point, so that client A can use end point A , client B can use end point B.

    Help is appreciated.


    <connectionStrings>
        <add name="MembershipDSN" connectionString="Server=DASQLINT;Database=Membership;Trusted_Connection=True;"/> 
      </connectionStrings>
     
     <system.web>
      <compilation debug="true" targetFramework="4.0" />
    
       <authentication mode="Forms"/>
       
       <!-- Default Membership provider-->
       <membership defaultProvider="AuthorizationMembership">
         <providers>
           <clear/>
           <add name="Membership2"
             type="System.Web.Security.SqlMembershipProvider,System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
             connectionStringName="MembershipDSN"
             enablePasswordRetrieval="true"
             enablePasswordReset="true"
             requiresQuestionAndAnswer="true"
             applicationName="/RefDef"
             requiresUniqueEmail="false"
             passwordFormat="Clear"
             maxInvalidPasswordAttempts="5"
             minRequiredPasswordLength="1"
             minRequiredNonalphanumericCharacters="0"
             passwordAttemptWindow="10"
             passwordStrengthRegularExpression=""/>
         <!--</providers>-->
    
         
           <add name="MembershipProvider1"
              type="System.Web.Security.SqlMembershipProvider,System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
             connectionStringName="MembershipDSN"
             enablePasswordRetrieval="true"
             enablePasswordReset="true"
             requiresQuestionAndAnswer="true"
             applicationName="/Pres"
             requiresUniqueEmail="false"
             passwordFormat="Clear"
             maxInvalidPasswordAttempts="5"
             minRequiredPasswordLength="1"
             minRequiredNonalphanumericCharacters="0"
             passwordAttemptWindow="10"
             passwordStrengthRegularExpression=""/>
         </providers>
         
         
       </membership>
       <!-- Defualt role provider -->
       <roleManager enabled="true" defaultProvider="DefRoleProvider">
         <providers>
           <add name="RoleProvider"
              connectionStringName="MembershipDSN"
              applicationName="/Def"
              type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"/>
         
    
           <add name="RoleProvider2"
           connectionStringName="MembershipDSN"
           applicationName="/PresMeta"
           type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"/>
    
         </providers>
       </roleManager>
       
       <customErrors mode="RemoteOnly"/>
     </system.web>
     
     
     <system.serviceModel>
    
       <!--<protocolMapping>
         <add scheme="http" binding="wsHttpBinding" />
       </protocolMapping>-->
    
    <services>
      <service name="Security.Service1" behaviorConfiguration="Behavior1">
       <clear />
       <endpoint 
         binding="wsHttpBinding" 
         name="MyEndPoint" 
         bindingName="MembershipBinding"
         contract="Security.IService1" >
       </endpoint>
      </service>
     </services>
    
    
     <bindings>
         <!-- WShttp bidning-->
         <wsHttpBinding>
           <!-- Set up a binding that uses Username as the client credential type -->
          <binding name="MembershipBinding">
             <security mode="Message">
               <message clientCredentialType="UserName" />
             </security>
           </binding>
          </wsHttpBinding>
        
       </bindings>
    
    
     <behaviors>
       <serviceBehaviors>
       <!-- PreMet Behavior-->
         <behavior name="Behavior1">
           <serviceCredentials>
             <userNameAuthentication
               userNamePasswordValidationMode="Windows"
               membershipProviderName="MembershipProvider1"
             />
           </serviceCredentials>  
         </behavior>
        
        <behavior name="Behavior2">
          <serviceCredentials>
            <!-- Configure user name authentication to use the Membership Provider -->
            <userNameAuthentication
               userNamePasswordValidationMode="Windows"
               membershipProviderName="MembershipProvider2"
    
            />
            
          </serviceCredentials>
    
         <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
         <serviceMetadata httpGetEnabled="true"/>
         <!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
         <serviceDebug includeExceptionDetailInFaults="true"/>
        </behavior>
       </serviceBehaviors>
      </behaviors>
     
      <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
     
     </system.serviceModel>
     
    • Edited by Raju Golla Friday, May 13, 2011 1:52 PM source added
    Friday, May 13, 2011 1:46 PM
  • You'd need EndpointBehaviourExtensionElement. This is a very good article on how to wrap a behaviour in an extension element.

     

    http://burcakcakiroglu.com/?p=2083

    Friday, May 13, 2011 5:05 PM
  • Hi Sukumar,

    Do you mean you want to make each service endpoint(suppose you have multiple endpoints in single service) use its own(separated) membership provider? If so, this does be a bit tough as the current support of membershp provider(for username authentication) is configured in ServiceBehavior that means it is service wide setting instead of endpoint wide.

    A possible means is to develop a custom endpoint extension(like messageInspector) which intercept the username/password message header(in soap message for authentication) and programmtically call Membership API or whatever API you uses for validating credentials) there.

    For authorization, if you feel the built-in role-based (support declarative approach) not sufficient, you can also implement own authorization manager to put your custom authorization logic in a central point.

    Authorization In WCF-Based Services
    http://msdn.microsoft.com/en-us/magazine/cc948343.aspx


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Tuesday, May 17, 2011 9:09 AM
    Moderator
  • Hi Sukumar,

    Do you mean you want to make each service endpoint(suppose you have multiple endpoints in single service) use its own(separated) membership provider? If so, this does be a bit tough as the current support of membershp provider(for username authentication) is configured in ServiceBehavior that means it is service wide setting instead of endpoint wide.

     

    A possible means is to develop a custom endpoint extension(like messageInspector) which intercept the username/password message header(in soap message for authentication) and programmtically call Membership API or whatever API you uses for validating credentials) there.

    For authorization, if you feel the built-in role-based (support declarative approach) not sufficient, you can also implement own authorization manager to put your custom authorization logic in a central point.

    Authorization In WCF-Based Services
    http://msdn.microsoft.com/en-us/magazine/cc948343.aspx


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thanks Steve.

    Please note that Active directory authentication is used  for authentication end users(Service provides AD authentication methods) -- Already implemented, working well.

    To implement authorization in client applications, developer adds my service(the one I am implementing) reference and access methods such as Roles.IsUserInRole("Admin") to get data from another service, which provides data.

    //Add reference to security service 
    SecurityServiceClient securityClient = new SecurityClient();
    //Add reference to Data service
    DataServiceClient dataClient = new DataServiceClient();
    
    //Access method from Security service
    securityClient.IsUserIsInRole("Admin");
    {
      //Access method from Data Service
      GridView.DataSource = dataClient.GetAllEmployees();
      GridView.DataBind();
       
    }
    

    Objective:- Security service uses Membership database to store ONLY Role information. Using Web configuration tool, Active directory users are assigned to various roles

    as required by application. So AD for Authentication and Role provider for authorization. I think it is quite feasible to configure the WCF service to utilise the same Membership database to configure role information for different client applications.

    I have number of different Membership configuration sections in WCF Web.config.

    Now it is required to configure the service to use different membership provider , through End Point or something else(Need  help), so that client application X uses

    end point X, which uses Membership config section X.

    Another client application Y uses end point Y, which uses membership config section Y.

     

    Let me know further , so that i can elaborate.

     


    Apriori algorithm [association rule]
    Tuesday, May 17, 2011 1:38 PM
  • Hi All / Sukumar

    Maybe I shouldn't be reopening this thread but your design seems to be what I'm looking to implement in my application but am finding it dificult to find correct procedure/info on how to implement this.

    Basically I want the client (silverlight app) to pass a username and password to a security service that will check these credentials against a database and maybe return a Guid and a list of roles for that user.

    This Guid will be passed to another WCF service along with any methods that the user would want to call.  The WCF service will use this Guid to check against the security service that this is a logged in user.

    The reason for having the security in a seperate service is that I could end up with multiple WCF data services and would like to keep it seperate.  WCF Ria is not an option for me.

    Is this what you implemented in your scenario?  Have you any pointers/blog posts that helped you acheive this?  Is this even possible?

    Thanks

    Paul

    Tuesday, July 12, 2011 2:11 PM