0

We are moving from our old .NET 1.1 remoted system to a .NET 4.0 WCF architecture. Part of the system is a Desktop client app that we are using to call 300+ functions that sit on our middle tier.

We are consolidating these remotable functions into 9 services but need a good way to verify a user has first performed the "login" function before any other subsequent WCF calls.

Since login only happens on one of these services, I am not sure if there is a way to "federate" this across the services. (All are hosted on the same machine, same domain.) We are exposing the services over net.tcp with the goal of also allowing wshttp binding for external clients in the long run. (not sure if I get something extra with a different binding that might help)

What I've come up with is to host a singleton that holds authentication info. When a user login is verified and submitted to a "Security Store" we return a Guid back to the client to send with subsequent WCF calls.

And then each WCF call will validate against the singleton "Security Store".

So the question is... Can I use something native to WCF to accomplish this same goal?

Tojamismis
  • 59
  • 3
  • Since you want to go with a custom token based auth, have a look at my answer here, which pretty much covers your question: http://stackoverflow.com/questions/11349539/wcf-authentication-service-or-token-based-security/11350784#11350784 – Marcel N. Jul 06 '12 at 22:22
  • What are you authenticating to now? – paparazzo Jul 07 '12 at 02:31
  • We are using salt and hash against a DB using a custom class. But this gives me the idea that we might want to go the user credential route. Even if security decides we need to do a token, we could pass that token as the "Password" on the user credentials. I was hoping to find a way to not go back to the data store over and over again, but this will work. (But if it becomes a performance issue we can store it in our "cache" singleton.) Thanks! – Tojamismis Jul 07 '12 at 03:17
  • Why not have 1 service with 9 methods and implement the hash to DB as a custom MemberShip services authentication. – paparazzo Jul 07 '12 at 21:04

1 Answers1

0

this table help to secect binding enter image description here

about security, wcf has several types auth, SecurityMode

ask particularized, security in wcf is big topic

burning_LEGION
  • 13,246
  • 8
  • 40
  • 52
  • Specifically we need to still be able to authenticate against our custom validation on our database today. We use the salt and hash using a custom .net class. The issue is that we need to force the login to be the first call, but without the benefit of having "isinitiating" and "isterminating" that we would get with a single service. – Tojamismis Jul 07 '12 at 03:11