1

Wondering about how to do the following efficiently, securely, and in a fashion that won't have us tearing our hair out because of overcomplication: we have an ASP.Net site that uses forms authentication and would like to implement some WCF restful web services that can be called from the first site, provided the user calling them has been authenticated.

We'd like to host the WCF RESTful service in a different web site from the ASP.Net site. Both sites will be in the same domain (my-domain.com for instance).

I've been reading up on the various bindings in WCF and am not sure if webHttpBindings are the way to go here (they being the most REST-friendly, but can they accommodate forms-authenticated users?)

I'm looking for suggestions and references as much as code, but I'd love to know where to start and what to look for, what's possible and what isn't.

Every time I read about WCF authentication it seems to inevitably sluice into discussions about WS-security and X509 certificates, and I don't know that I need all that for what I'm doing? What I'm really looking to build is a series of WCF restful services that only respond to forms-authenticated users. If that's not possible without diving deep into WS-Security and X509 then so be it, but I'd like to keep it as simple as possible.

Note: I asked a somewhat similar question about a month ago, but have decided to go with forms authentication.

Community
  • 1
  • 1
larryq
  • 15,713
  • 38
  • 121
  • 190

2 Answers2

0

If you are not calling your WCF services from the browser, then you don't even need to secure them. Just call them from your ASPX code to a non-public site that hosts WCF. Or use X509 certs in a server-to-server mode.

If you do plan to call them from the browser, then things get more complicated. In this case, you may want to ditch WCF and look at with Web API included in the MVC 4 beta release to build your REST services.

http://www.asp.net/web-api

0leg
  • 966
  • 5
  • 9
  • Exactly how would using the Web API help in this case? – John Saunders Jun 06 '12 at 18:09
  • In a Web API app, it is much easier to make authentication/authorization decisions based on the forms auth cookie passed in. – 0leg Jun 06 '12 at 19:16
  • It turns out that using forms auth with WCF is easier than I thought. Never had a need to do that. [another post](http://stackoverflow.com/questions/1087271/passing-formsauthentication-cookie-to-a-wcf-service) – 0leg Jun 06 '12 at 19:43
  • Thanks 0leg. These WCF services would be public-facing (called using Ajax/javascript in the browser), and therefore could be called by a third party, if they knew where to look. That's why I'd like to secure them so that only a forms-authenticated client could call them. Thanks for your link above. – larryq Jun 08 '12 at 15:29
0

Have your javascript generated from the code behind. If Page.User.IsAuthenticated, render the ajax script. If not, render javascript that alerts the user that they need to be logged in. If you don't want the user cutting the javascript out of the browser source and running it later, when they are not authenticated, you will need to generate a token based on the session ID, that can be passed between the site and the service.

Chuck Forest
  • 1