1

Here's our scenario:

  • We have an MVC3 Application 'MVC3ABC' in solution S1 that is secured using Forms Authentication (currently the user details are just in the web.config for early dev but they will be in an SQL Server database soon).

  • MVC Controller C1 calls through to a WCF service W1 which has the .svc file under a separate ASP.NET web project in solution S1. In this case, the WCF service does not need to know which particular user is logged in, just that it is an authenticated user accessing.

  • MVC View V1 is hosting a Silverlight4 App SLV1 which calls through to a WCF service W2 which has the .svc file under a separate AST.NET web project in a different solution S2. In this case, the WCF service does need to know which particular user is logged in as it will get data from different databases depending on which user is logged into the MVC site.

So essentially, what we require is that access to the two WCF services can be done from the MVC site by users already authenticated through the MVC application and in the case of the W2 service, we need to know which user it is. Any access to the WCF services outside the MVC site needs to also be authenticated or shouldn't work (no anonymous access to the WCF services is permitted).

Is there a standard approach to solving this problem? Does anyone know of any sample projects where I can see this kind of thing in action?

A few extra details - we are using Visual Studio 2012 RC, .NET 4.5 and IIS7.

Thanks

trembler2003
  • 559
  • 2
  • 8
  • 16

1 Answers1

1

I guess what you are trying to achieve is sharing the Forms Authentication across MVC application and the WCF services. You could do that :)

The idea is you have to share the cookie from the MVC application to the WCF services.

Following are the things you have to take care on doing this.

  1. The MVC and WCF services should use the same forms and machineKey sections in the web.config. See here. Means WCF services should also use forms authentication and all the three of them should share the same machine key to have the cookie being shared.

  2. Of course the WCF services should run in asp.net compatibility mode.

  3. When making calls to WCF services you should manually add the forms authentication cookie to the outgoing message header. See here.

EDIT:

Based upon the OP's comment I'm updating my answer.

The above solution seems to be good when the WCF service has to be used only by the MVC and not by other clients. But if the WCF service also want to be consumed by different clients other than the MVC project then the client will face tough time because they have to construct the cookie and append to the request (i'm not sure whether this is possible!).

So little more elegant solution would be make the WCF services self-contained, means, integrate the authentication/authorization mechanism separately to it. One way is you can easily integrate the ASP.NET membership provider to the WCF services. By this way the authentication will happen separately at the WCF service side. The other advantages are third-party clients or other applications can easily consume the WCF service passing the credentials through the proxy.

So here is a link that says how to configure asp.net membership provider in WCF service,

VJAI
  • 32,167
  • 23
  • 102
  • 164
  • Thanks @Mark - Will be giving this a go on Monday – trembler2003 Jul 13 '12 at 15:13
  • Thanks @Mark - I've got this mostly all working now to one of the WCF services - just got to set it up for the other one. However, I have been reading that this may not be the best way to do all this so I would be interested to hear any other views/methods - this was mainly from reading the question someone raised on this [page here](http://www.codeproject.com/Articles/380900/WCF-Authentication-and-Authorization-in-Enterprise?msg=4245688#xx4245688xx) – trembler2003 Jul 17 '12 at 10:57
  • Thanks again @Mark - I will be looking at this update tomorrow as yes, we do need the WCF service to be accessible by other clients other than just the MVC. – trembler2003 Jul 17 '12 at 21:25
  • Hi @Mark - I've now read up on this and all seems fine apart from how to pass the username/password from the MVC app to the WCF services. The username is available in the httpcontext identity object but not the password (as kind of expected)... so I'm now looking at suggestions made in [this post](http://stackoverflow.com/questions/3451578/wcf-authentication-using-sql-membership-provider) unless you have any ideas on this detail yourself? – trembler2003 Jul 18 '12 at 11:35
  • I thought the same-thing yesterday :) will update you on that – VJAI Jul 18 '12 at 12:05
  • Hi @Mark - I've now been looking at using the WCF Authentication Service along with Forms Authentication on each of the WCF services. In this case, as I understand, any other client can call the AuthenticationService first to get a cookie and then use to access the WCF services. However, to throw a spanner into the works, we also have a RESTful version of the W2 service (from the original post). Can this also work in some way with Forms Authentication? – trembler2003 Jul 19 '12 at 08:39
  • Hi @Mark - I've only unaccepted the answer for now to see if more input can then be gained from others. – trembler2003 Jul 19 '12 at 09:10
  • Hi @Mark - reaccepted this as the answer as we did go down the cookie passing route in the end which has successfully worked with the restful services as well. – trembler2003 Sep 05 '12 at 14:13