1

I've seen solutions where you can restrict access in WCF using the membership in asp.net.(How do I restrict access to some methods in WCF?) But i'm wondering if there is anything similar using the FormsAuthenticationTicket.

I don't have the Membership configured on my site, and i'm using the FormsAuthenticationTicket and methods in WCF to log in and so on.

The WCF-Service is not configured to use SSL YET, because the man i work for have not bought a cert trough our hosting company(don't know if relevant)

The main thing is that i need to protect my some methods in my WCF-Service from unauthorized access, and if theres another simpler solution i would love some input on that to.

I'm very new to WCF and security overall, but familiar in ASP.NET and C#. I would love for some pedagogical answers, and not just a solution or ideá

UPDATE: Some pastebin links for my solution:

wcf.svc http://pastebin.com/S3bTPKaV

wcf webconfig: http://pastebin.com/Pshf7STz

Client Webconfig: http://pastebin.com/QY9252mB

Community
  • 1
  • 1
J.Olsson
  • 815
  • 3
  • 13
  • 29

1 Answers1

2

This is possible and is commonly used - you have to guard your calls with the principal permission requirement.

Here is one of tutorials by myself

http://netpl.blogspot.com/2010/04/aspnet-forms-authentication-sharing-for.html

Don't let the title mislead you, this is not not only about Silverlight but any other way of accessing the WCF service that is capable of carrying cookies.

Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
  • Interesting, But say if I would create another website and call the method from there, when i'm signed in. Wouldn't that allow access to the WCF-Method?(maybe my question was unclear from the start, i want to control which sites that has access to this WCF) – J.Olsson Aug 10 '13 at 22:01
  • I also tried to follow your blog post, but ended up with "Request for principal permission failed." It seems i dont even pass the ticket to the WCF-Service, and i really dont know why, or how i should solve that. – J.Olsson Aug 10 '13 at 23:15
  • Apparently the request you are making has no cookie or has wrong cookie. Typically you can debug such issues with a http debugger like Fiddler or Charles. – Wiktor Zychla Aug 11 '13 at 07:37
  • It seems its sending the cookie, but its encrypted(as i intended when i created the ticket) Can this be a problem? and where should i decrypt the ticket? in the WCF constructor ? (sorry about all these questions, but i'm only trying to learn this) – J.Olsson Aug 11 '13 at 09:43
  • You don't decrypt the cookie manually. It is the FormsAuthenticationModule which does this automatically and sets up the HttpContext.Current.User accordingly. – Wiktor Zychla Aug 11 '13 at 09:54
  • I understand. In debugging it says that the user is anonymous and not authenticated, even if I should be. I have uploaded a update on my original post. It would be amazing if you could take a look and see if i'm missing something in the web config and such. – J.Olsson Aug 11 '13 at 10:30
  • What are 'client web.config' vs 'wcf web.config'? What is the architecture so that you have two web.configs? – Wiktor Zychla Aug 11 '13 at 11:12
  • Oh i forgot to mention that. The client webconfig is the webconfig for a ASP.NET website(separate project). The WCF web config is a WCF application service(separate project). The ASP.NET project connects to the WCF via a service reference. (Both projects are located on the same solution) – J.Olsson Aug 11 '13 at 11:53
  • The WCF site's config seems to lack the authentication section where forms authentication mode is set. Without it, forms authentication doesn't work. Also, passing forms cookies between two separate web sites works ONLY if cookies target the same domain on the same web server. Make sure you have both sites on the same physical server and make sure that `forms` sections on both sites define the same `domain` attribute (for example, ASP.NET site is `foo.bar.com`, WCF site is `qux.bar.com` and the `domian` attribute in both web.configs is set to `bar.com` so that the cookie is accepted on both). – Wiktor Zychla Aug 11 '13 at 12:05
  • I will experiment a little more and hopefully get to a working solution, this defiantly directed me in the right direction. You have been more than helpful! i could't possibly asked for more detailed answers. Have a good day sir! – J.Olsson Aug 11 '13 at 12:39