Securing Dataservices for both forms authentication and Windows authentication RRS feed

  • Question

  • Hi All,

    I have a question around securing ADO.NET dataservices:

    Currently our application is designed to work in an intranet environment so we've got it working with a WPF client calling into the ADO.NET dataservice where Windows authentication and impersonation are enabled in IIS on the Dataservice virtual directory. The user then doesn't have to log in to the application as the user details are passed straight through to dataservices and then a database lookup is done in the query interceptor to see whether the user has the rights to read this entity.

    In the future we want to also have an internet client which will use the same dataservice. What is the best way to secure the data service then so that it works securely on both platforms without requiring an intranet user to log in to the system?

    Thanks in advance!
    Thursday, October 16, 2008 4:44 AM


  • You can also use Forms based security like you would for a web site.  And can use the default forms provider or derive from Membership provider to use your own custom store for validations, etc (be sure to disable anonymous access).  In either case, it is the provider (windows or forms) that allows access to the vDir where your service lives. Once that is done, the service is loaded and user can make calls.. Your Interceptors can then check against HttpContext.Current.User.Identity.Name or HttpContext.Current.User.IsInRole("Users") to further restrict access.

    Thursday, October 16, 2008 6:20 AM