How can I use the Role Manager in a WCF Service?

Question

How can I use the Role Manager in a WCF Service?

In my .NET Application, I can restrict a class or a method with the [Authorize(Roles=)] tag. How can I enable this for my WCF Service?

I currently have the following binding set for each endpoint:

  <webHttpBinding>
    <binding name="TransportSecurity" maxReceivedMessageSize="5242880">
      <security mode="Transport">
        <transport clientCredentialType="None"/>
      </security>
    </binding>
  </webHttpBinding>

Since I want to have the user log in and receive a cookie with the principal, do I need to change this to another sort of clientCredentialType?

Edit 1:

This is using REST, not SOAP. It is also to note, that it is important that it works with mobile devices (android, iPhone) and can use cookies to maintain a session. So far, I have been unable to get this working, using the following code/config:

Config File:

   <roleManager enabled="true" defaultProvider="ActiveDirectoryRoleProvider" cacheRolesInCookie="true" cookieName="RoleCookie" cookiePath="/" cookieTimeout="30" cookieRequireSSL="false" cookieSlidingExpiration="true" createPersistentCookie="false" cookieProtection="All">
      <providers>
        <clear />
        <add name="ActiveDirectoryRoleProvider" connectionStringName="ADServices" connectionUsername="" connectionPassword="" attributeMapUsername="sAMAccountName" type="" />
      </providers>
    </roleManager>

    <membership defaultProvider="MembershipADProvider">
      <providers>
        <add name="MembershipADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="" connectionStringName="ADServices" connectionUsername="" connectionPassword="" attributeMapUsername="sAMAccountName" />
      </providers>
    </membership>

<bindings>
  <webHttpBinding> <!-- webHttpBinding is for REST -->
    <binding name="TransportSecurity" maxReceivedMessageSize="5242880">
      <security mode="Transport">
      </security>
    </binding>
  </webHttpBinding>
</bindings>

<behaviors>
  <endpointBehaviors>
    <behavior name="web">
      <webHttp />
    </behavior>
  </endpointBehaviors>
  <serviceBehaviors>
    <behavior name="ServiceBehaviour">
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
      <serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true" />
      <serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="ActiveDirectoryRoleProvider" />
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="MembershipADProvider" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

Code

    public void SignIn2(string userName, bool createPersistentCookie)
    {
        if (String.IsNullOrEmpty(userName)) throw new ArgumentException("Value cannot be null or empty.", "userName");

        // put the attributes in a string for userdata
        string userData = "";

        // create the ticket
        FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
                                                userName,
                                                DateTime.Now,
                                                DateTime.Now.AddMinutes(240),
                                                createPersistentCookie,
                                                userData);

        // Now encrypt the ticket.
        string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

        // Create a cookie and add the encrypted ticket to the cookie as data.
        HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

        // add the cookie
        HttpContext.Current.Response.Cookies.Add(authCookie);
    }

Now using the Principal Permission, I get a SecurityException (I know the role is valid on the server)

    [PrincipalPermission(SecurityAction.Demand, Role = Constants.RoleUser)]
    public Message TestRoles()
    {
        var context = NetworkHelper.GetWebOperationContext();

        return context.CreateTextResponse("You have successfully activated the endpoint.");
    }

Am I missing a crucial step here?

Answer 1

I wrote a blog post about how to using ASP.NET authentication with WCF; the gist of it is that you want to use the following binding:

  <basicHttpBinding>
    <binding>
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName"/>
      </security>
    </binding>
  </basicHttpBinding>

You must also apply the following serviceBehavior

    <behavior>
      <!-- no need for http get;
          but https get exposes endpoint over SSL/TLS-->
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
      <!-- the authorization and credentials elements tie
        this behavior (defined as the default behavior) to
        the ASP.NET membership framework-->
      <serviceAuthorization
          principalPermissionMode="UseAspNetRoles"
          roleProviderName="AspNetRoleProvider" />
      <serviceCredentials>
        <userNameAuthentication
            userNamePasswordValidationMode="MembershipProvider"
            membershipProviderName="AspNetMembershipProvider" />
      </serviceCredentials>
    </behavior>

An important point to note is that you must use SSL if you're going to secure WCF with a name and password, that's why transport security is specified.

Once you've done this, you should be able to use the PrincipalPermission attribute to secure your service methods.

Answer 2

I had the similar problem with the principal, a long time ago. I don't remember the details, but try this, from my very old project:

i. You have to add 2 helper classes:

---

using System.Web;
using System.IdentityModel.Claims;
using System.IdentityModel.Policy;

namespace TicketingCore
{
    public class HttpContextPrincipalPolicy : IAuthorizationPolicy
    {
        public bool Evaluate(EvaluationContext evaluationContext, ref object state)
        {
            HttpContext context = HttpContext.Current;

            if (context != null)
            {
                evaluationContext.Properties["Principal"] = context.User;
            }

            return true;
        }

        public System.IdentityModel.Claims.ClaimSet Issuer
        {
            get { return ClaimSet.System; }
        }

        public string Id
        {
            get { return "TicketingCore HttpContextPrincipalPolicy"; }
        }
    }
} 


using System;
using System.Collections.Generic;
using System.IdentityModel.Claims;
using System.IdentityModel.Policy;
using System.Text;
using System.Web;
using System.Security.Principal;

namespace TicketingCore
{
    // syncs ServiceSecurityContext.PrimaryIdentity in WCF with whatever is set 
    // by the HTTP pipeline on Context.User.Identity (optional)
    public class HttpContextIdentityPolicy : IAuthorizationPolicy
    {
        public bool Evaluate(EvaluationContext evaluationContext, ref object state)
        {
            HttpContext context = HttpContext.Current;

            if (context != null)
            {
                // set the identity (for PrimaryIdentity)
                evaluationContext.Properties["Identities"] = 
                    new List<IIdentity>() { context.User.Identity };

                // add a claim set containing the client name
                Claim name = Claim.CreateNameClaim(context.User.Identity.Name);
                ClaimSet set = new DefaultClaimSet(name);
                evaluationContext.AddClaimSet(this, set);
            }

            return true;
        }

        public System.IdentityModel.Claims.ClaimSet Issuer
        {
            get { return ClaimSet.System; }
        }

        public string Id
        {
            get { return "TicketingCore HttpContextIdentityPolicy"; }
        }
    }
}

ii. Change the webconfig to add these 2 policy, here's my config (format: add policyType="namespace.class, assembly" )

<serviceBehaviors>
    <behavior name="ServiceBehavior">
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="SQLMembershipProvider"/>
      </serviceCredentials>
      <serviceAuthorization principalPermissionMode="Custom">
        <authorizationPolicies>
          <add policyType="TicketingCore.HttpContextIdentityPolicy, TicketingCore"/>
          <add policyType="TicketingCore.HttpContextPrincipalPolicy, TicketingCore"/>
        </authorizationPolicies>
      </serviceAuthorization>
      <serviceMetadata httpGetEnabled="true"/>
      <serviceDebug includeExceptionDetailInFaults="false"/>
    </behavior>
  </serviceBehaviors>

iii. Ensure the cookie and role are working fine

Note: I don't remember the source of the solution as well, you may need to google the class name to find out, hope the will be helpful to you, good luck!

Answer 3

I think something like this will provide what you're looking for:

// Only members of the SpecialClients group can call this method.
[PrincipalPermission(SecurityAction.Demand, Role = "SpecialClients")]
public void DoSomething()
{ 
}

You can find a good article on the different options for setting up your service here: MSDN Article. You may want to update your configuration with something like:

<security mode="TransportWithMessageCredential" >
    <transport clientCredentialType="Windows" />
</security>

Answer 4

Two years ago I've blogged on a wcf integration with forms authentication and the principal permission attributes. I believe you will find this useful:

http://netpl.blogspot.com/2010/04/aspnet-forms-authentication-sharing-for.html

Answer 5

check out this question Passing FormsAuthentication cookie to a WCF service. The main point is that authentification cookie cannot either be send or received, because of cookie domain/asp settings/auth encryption key. I recommend you to dump that cookie value for debugging purposes Request.Cookies[".ASPXAUTH"].