Custom Authorization Framework in WCF Service layer RRS feed

  • Question

  • Hi,


    Need some help over authorization framework we can consider for following requirements



    UI- Windows forms

    Middle tier - WCF Services provides services to UI layer

    DB- SQL


    Intranet application

    User information will be maintained in Active Directory and DB



    As of now WCF is configured for wsHttpBinding with secure conversation enabled( this takes care of authentication for me..)


    Authentication requirements


    1. There will be different types of forms ( ex: Form to enter Order info, form to enter payment info) 


    2. Each form will have contacts and thier roles mentioned in it... ( ex: For Order#1 User A is a Power user, User B is a viewer. In Order# 2 USER C is power user, USER A is a Viewer, In Payment# 1 USER X is a power user,etc)


    3. A person can assume different roles in different forms( even in same type of form)  ( ex: UserA can be power user in Order#1 and he can be just Viewer in ORDER# 2) [ roles but role changes from Form to Form ]


    4.  Each form type has differnt rules for a role ( ex: Order form will display all fields for POWER USER and disable all fields for VIEWER USER.... PAYMENT form will display all fields for POWER USER and disable only few fields for VIEWER USER... In ORDER form POWER User should be able to edit and delete where as VIWER can just view it...)

    [ this should be customizable]



    When Presentation layer(UI) calls the WCF requesting for the service.. We should be able authenticate( as of now authenticating using secure negotiation of windows credentials) ,... authorize it and provide corresponding response to the Presentation layer...


    If VIEWER calls DELETE method on ORDER form-> WCF service should send response back saying that he/she is not authorized to delete order...


    If VIWER user calls a method to display a ORDER form-> WCF should return all the data that needs to be displayed in ORDER form as well as information regarding ( which fields the user should be able to edit( enabled in UI) and which fields should be hidden..etc)


    I would appriciate if any one can share thier expertise and point me in the right direction on chooseing right methodology to implement it..



    Tuesday, July 22, 2008 2:58 PM

All replies