none
WCF authorization from MVC 5 RRS feed

  • Question

  • Hi,

    I am having ASP.NET application with users (based on ASP.NET Identity 2). Each user can post data to WCF service. In system are roles from Identity 2. I would like to have limited access to WCF per user. I mean "basic" user can't do things what administrator can. Also I want to protect WCF if "user" tries to create own application and connect to service he shouldn't do any illegal things, only those what are available as logged in website.

    Basicly its about authorization. What I don't know is what is best practice. Should I send to WCF in header username and some token? I think its not best practice to store password after login in session or keep it somehow. Another idea is to do on website security checks and make WCF communication available just from one specific application by certificate or something else that guarantee to accept just that specific website app?

    If not any described practice is good then how it should be?

    I read some dynamic implementations like https://blogs.technet.microsoft.com/meamcs/2011/05/11/implementing-dynamic-authorization-for-a-wcf-service-using-sql-providers/ I think its for older asp or is it working aswell for MVC 5?

    If you could post some tutorial how to make it with MVC 5 it would be nice. Especially with client implementation, I don't know if creating client instance is enough.

    Thanks for sharing your knowledge :)

    Sunday, July 9, 2017 8:41 PM

All replies

  • I am having ASP.NET application with users (based on ASP.NET Identity 2). Each user can post data to WCF service. In system are roles from Identity 2. I would like to have limited access to WCF per user.

    The limitations as to what a user can do or not do is applied on the client side at the UI,  at the MVC controller and business rules in the business logic layer ageist domain objects. 

    Also I want to protect WCF if "user" tries to create own application and connect to service he shouldn't do any illegal things, only those what are available as logged in website.

    It's kind of questionable if you have the WCF service on the protected LAN, and it's not being exposed to the public Internet directly.  It would be kind of questionable if you were using a n-tier architecture with the MVC solution where layers were implemented and Separation of Concerns were implemented to further protect the service.

    Basicly its about authorization. What I don't know is what is best practice. Should I send to WCF in header username and some token?

    If all the WCF service is is some pass-through to the backend for CRUD operations with a DB on the protected LAN, then what is the point, particularly so if the WCF service is never directly exposed to the public Internet?

    If you are that concerned about the security of a service or services exposed directly to the public Internet, then maybe you should look into a service layer.

    https://msdn.microsoft.com/en-us/library/ee658090.aspx

    If you are somehow thinking that this is a solution you put on a Web server, the solution is going to be exposed to the public Internet on the Windows O/S using IIS, then if the O/S, IIS, file system, registry, and use accounts are not harden to attack, then you are just putting up hack-bait and a jumping off point for hackers to attack other network, with security of WCF being the least of your problems.

    There are 1,000 page books on hardening the Windows O/S to attack being exposed to the public Internet and the experts can hardly do it. 

    With that being said and you are thinking of exposing the solution to the public Internet, then you should look into a Web hosting service.

    Sunday, July 9, 2017 11:07 PM
  • I am having ASP.NET application with users (based on ASP.NET Identity 2). Each user can post data to WCF service. In system are roles from Identity 2. I would like to have limited access to WCF per user.

    The limitations as to what a user can do or not do is applied on the client side at the UI,  at the MVC controller and business rules in the business logic layer ageist domain objects. 

    Yes, correct, I do business logic in MVC controller mostly if user can access WCF service, then if he can I would like to tell WCF "this is actorId, check if he can operate with this function"

    ---

    It's kind of questionable if you have the WCF service on the protected LAN, and it's not being exposed to the public Internet directly.  It would be kind of questionable if you were using a n-tier architecture with the MVC solution where layers were implemented and Separation of Concerns were implemented to further protect the service.

    Well MVC is exposed to the public internet, WCF is not. But its running on shared server, there can be another user trying to scan (then hack) services and I would like to protect against it.

    --

    If you are somehow thinking that this is a solution you put on a Web server

    WCF will run in IIS, only localhost with some port number (not 80, 443)

    Based on that, any next suggestions based on my current reply? 

    Monday, July 10, 2017 8:03 AM
  • Well MVC is exposed to the public internet

    And the controller is consuming the WCF Web service, right?

    If that's the case, then that is bad news and MVC controller should be calling objects on the Repository or Business layer. It's the Repository or Business project that consumes the WCF service.

    WCF will run in IIS, only localhost with some port number (not 80, 443)

    Based on that, any next suggestions based on my current reply? 

    You can use a generic user-id and password passed to the WCF service from the layer that consumes it. This thing about every user having an user ID and password to be authenticated by WCF, well, I have never seen such an implementation, and I don't think it's feasible or viable.

    Monday, July 10, 2017 11:15 AM
  • Good to know that MVC controller shouldnt do that :)

    I read some article now and maybe I'll go for it. It's about creating Message Inspector which customize header. I will post userId to make it simple. At WCF side I will create Authorization Policy which will decode userId and create principal which I assign to Thread.CurrentPrincipal.

    This idea might work, what do you think? For security using wsHttpBinding with security on message layer. One thing what is bothering me is that I have to pass credentials, probably I will have to create static user.

    Monday, July 10, 2017 1:26 PM
  • You'll have to play with the security and see what works for you.
    Monday, July 10, 2017 2:34 PM
  • OK, anyway thanks for help :) 
    Monday, July 10, 2017 2:38 PM
  • Hi veteska,

    For built-in Authentication options and Authorization, I suggest you refer below link.

    # https://msdn.microsoft.com/en-us/library/ff650862.aspx

    >> Also I want to protect WCF if "user" tries to create own application and connect to service he shouldn't do any illegal things, only those what are available as logged in website

    How did you validate the users who can log in website? If you use user name and password, I think you could try Message security with Username.

    >> One thing what is bothering me is that I have to pass credentials, probably I will have to create static user

    If you use Username security without certificate, your username and password will in plain text in your message, so you need to use transport-level(SSL) or certificatge to encrypt the message.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, July 11, 2017 2:08 AM