1

We are trying to create a WCF service that is only accesible by specified windows groups. How can this be configured in the server web.config and the client configuration?

Note: We want to be able to control the windows groups who are allowed access in the server web.config not in code. Also, we dont want/need SSL at all.

Ive googled around and then best examples I can find are all like this...

WCF Service, Windows Authentication

But that doesnt explain how to limit access only to a specific group or groups.

Community
  • 1
  • 1
barrylloyd
  • 1,599
  • 1
  • 11
  • 18
  • why don't you want SSL? I know there are valid reasons why, but you should state them – Seph May 15 '12 at 03:49
  • Ok thats a good question. Basically this is an intranet application and the company doesnt want the overhead/costs of maintaining SSL certificates on the client machines. If this problem can only be solved with SSL then we might have to reconsider that - but I was hoping we could avoid it. – barrylloyd May 15 '12 at 03:51
  • We are currently using wsHttpBinding – barrylloyd May 15 '12 at 05:05

2 Answers2

2

If this is intranet application you can use netTcpBinding:

<services>
   <service name="YourService"
      behaviorConfiguration="YourServiceBehavior">
      <endpoint 
         binding="netTcpBinding"
         bindingConfiguration="SecureTransportWindows"
         contract="YourContract" />
   </service>
</services>

<bindings>
   <binding name="SecureTransportWindows">
      <security mode="Transport">
          <transport clientCredentialType="Windows" />
      </security>
   </binding>
</bindings>

<behaviors>
   <serviceBehaviors>
      <behavior name="YourServiceBehavior">          
          <serviceAuthorization principalPermissionMode="UseWindowsGroups" />
      </behavior>
   </serviceBehaviors>
</behaviours>

And then in service code you can demand windows role:

class YourService : YourContract
{
    [PrincipalPermission(SecurityAction.Demand, Role="MYDOMAIN\Administrators")]
    public string SecuredOperation(string name)
    {
       return "secured operation";
    }
}

If you need to set it in config then you must implement custom authorization:

<behavior name="YourServiceBehavior">          
   <serviceAuthorization principalPermissionMode="Custom">            
      <authorizationPolicies>
         <add policyType="YourCustomAuthorizationPolicy"/>
      </authorizationPolicies>          
   </serviceAuthorization>
</behavior>

And in code implement IAuthorizationPolicy interface:

public class YourCustomAuthorizationPolicy : IAuthorizationPolicy
{
   //you need to check msdn 
}
jlp
  • 9,800
  • 16
  • 53
  • 74
  • Thanks jlp, this is helpful but we really would like to control the groups/roles who have access in the config file rather than hardcoded into the PrincipalPermission attribute in the code. We have now come up with a solution which I will write up as an alternative answer in case its of benefit to anyone else. Thanks – barrylloyd May 24 '12 at 00:28
1

Ok this is the solution we came up with. Although it does involve a code change (adding the AspNetCompatibilityRequirements attribute) we can now acheive configuration of the groups/roles in the web.config file rather than hardcoding.

There are a number of steps to this...

1) Add the aspNetCompatibilityEnabled attribute into the serviceHostingEnvironment element and set to true, e.g....

<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />

This tells the WCF service to running in ASP.NET Compatibility Mode and participate fully in the ASP.NET HTTP request lifecycle. See this MSDN article for full details.

2) In the WCF code add AspNetCompatibilityRequirements attribute to the service class as per the link above and as specified in this MSDN article...

<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Allowed)>

3) Now we can add the usual ASP authorization element in to restrict access to the specified groups/users (without the settings (1) and (2) above, this would be ignored by WCF)...

<system.web>
    <authorization>
        <allow roles="MYDOMAIN\WCFAuthenticatedUsers" /> <-- allows access to users in this group
        <deny users="*" /> <-- denies access to all other users
    </authorization>
</system.web>
barrylloyd
  • 1,599
  • 1
  • 11
  • 18