Results 1 to 4 of 4

Thread: WCF Service Authentication/Authorization question

  1. 08-13-2008, 10:58 AM #1
    ben_ng
    ben_ng is offline VB.NET Forum Newbie
    .NET Framework
    .NET 2.0 (VS 2005)
    Join Date
    Sep 2007
    Location
    Singapore
    Posts
    18
    Reputation
    72

    WCF Service Authentication/Authorization question

    Hi,
    I am new to WCF and here's my scenario.
    My web page will be hosted in a web server and there will be an app server which my web page will call the WCF services. I will be using forms authentication for authenticating users and roles with be custom roles populated in the sql server, not the built-in aspnet tables. To add to the difficulty,I am using the Web Client Software Factory in my development.
    Here's my question. I am worried that unauthorised users(logged in but still unauthorised) will try to call my WCF service directly if they know the url for the service. I am unable to use System.Threading.Thread.CurrentPrincipal.Identity. Name
    to pass in their identity to the service as it spans across different servers.
    Is there a way for me to authenticate by passing their credentials to the WCF service, so that I can do further authorization check from there?I understand I can do something like this :
    Code:
    Dim pxy As New MyFirstSecuredWCFServiceProxy
pxy.ChannelFactory.Credentials.UserNamePassword.UserName = "Softwaremaker"
pxy.ChannelFactory.Credentials.UserNamePassword.Password = "SomePassword"
    to pass the username to my WCF service for authorization checking. But how do I grab the username from my WCF service?
    Sorry if my question sounds stupid as I am very new to WCF.
    Thanks for any help given!
    Reply With Quote Reply With Quote
  2. 08-15-2008, 3:54 AM #2
    petersgyoung
    petersgyoung is offline VB.NET Forum Enthusiast
    .NET Framework
    .NET 3.0 (VS 2005/2008)
    Join Date
    Mar 2008
    Location
    Hong Kong
    Posts
    40
    Reputation
    66
    Information about authenticated caller of WCF can be checked by using ServiceSecurityContext, e.g. ServiceSecurityContext.Current.PrimaryIdentity.Nam e.

    If you implement IIdentity of your custom type, you can use PrincipalPermission to check the caller's role declaratively or imperatively.
    Reply With Quote Reply With Quote
  3. 08-20-2008, 5:13 AM #3
    ben_ng
    ben_ng is offline VB.NET Forum Newbie
    .NET Framework
    .NET 2.0 (VS 2005)
    Join Date
    Sep 2007
    Location
    Singapore
    Posts
    18
    Reputation
    72
    Quote Originally Posted by petersgyoung View Post
    Information about authenticated caller of WCF can be checked by using ServiceSecurityContext, e.g. ServiceSecurityContext.Current.PrimaryIdentity.Nam e.

    If you implement IIdentity of your custom type, you can use PrincipalPermission to check the caller's role declaratively or imperatively.
    Hi,
    thanks for the tip. Does this command work across servers? I will be passing the credentials from the web server to the app server.
    Thanks
    Reply With Quote Reply With Quote
  4. 08-21-2008, 11:17 PM #4
    petersgyoung
    petersgyoung is offline VB.NET Forum Enthusiast
    .NET Framework
    .NET 3.0 (VS 2005/2008)
    Join Date
    Mar 2008
    Location
    Hong Kong
    Posts
    40
    Reputation
    66
    As far as I know, when Windows credentials are used, you can configure to impersonate caller's identity in server so that the request thread operate under the impersonated Windows token. However, it may not be possible for other credentials (I may be wrong).
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

Harvest time tracking