Is it possible to create single security session over several WCF services? RRS feed

  • Question

  • Hi.

    I am looking for solution to implement a single security session over several WCF services with login / logout ability.

    I want to implement:

    1. SecurityService:

    public interface ISecurityService
    	SomeResult Authenticate(string login, string password);
    	void Logout();

    2. Several other services for example:

    [ServiceContract] public interface IItemService { [OperationContract] IList<Item> LoadAllItems(); [OperationContract] void SaveItems(IList<Item> items); } [ServiceContract] public interface IPartnerService { [OperationContract] IList<Partner> LoadAllPartners(); [OperationContract] Partner LoadPartnerById(); [OperationContract] void SavePartners(IList<Partner> partners); }


    Workflow should be following:

    1. Client call Authenticate method to login to the services set (for example this method can be called from the login form of the client WPF application). I think I can remember all authenticated users in the static dictionary, so this information will be available for all services from the services set. I can remove the authenticated users from the dictionary when some timeout was expired and there were no other request from the authenticated client.

    2. Client call any other methods of other services (for example this method will be called from the different screens of the client WPF application). All services should to know that client is already authenticated.

    3. Client call Logout method to close the session.

    WCF Services will be hosted in windows service, i.e. infrastructure will not be available. Also I don't want to use membership provider.

    But I'm not sure, what information is better to return from the Authenticate method, and how to inject this information to other method calls. Are there some kind of AuthenticationTicket that I can return to a client?

    As a solution I can send login and password with every message using TransportWithMessageCredential security mode and validate it against login and password stored in the static dictionary (or may be against database), but it doesn't seems to be a good way.

    Also I need the solution which will be interoperable (for example services can be called from Java clients).

    Any suggestions? Thanks.

    Tuesday, February 5, 2013 4:23 PM

All replies

  • Well, I have an idea that Authenticate method can return a guid which will be session identifier.

    Then I can add this session id to every message using client message inspector. So any of services in set will know, in context of which global session it was called. All sessions will be stored in a static dictionary, where the key is a session id guid and the value is a custom implementation of the IIdentity.

    This approach should work well in case of bassicHttpBinding.

    But I still have a problem with the wsHttpBinding, since it automatically add security session start message before the my own Authenticate message call, and I have no ability to inject the custom header with the session id guid to that message.

    Monday, February 11, 2013 11:17 AM
  • May be a little simplified question...

    Is there way to implement session (I mean not WCF reliable session but something like ASP.NET session) in WCF in case of self-hosted services? What is best way to pass session identifier from the service to client and back from client to service?

    Monday, February 11, 2013 2:11 PM