0

I have WCF Service where user can add a simple message. Before service put message to database, I need to authorize user, like here:

    [OperationContract]
    [WebGet(UriTemplate = "/GetMessages/{SessionToken}/{UserPassword}/{UserGLKNumber}")]
    Messages GetMessages(string SessionToken, string UserPassword, string UserGLKNumber);

It's obvious that this solution is not good (sending in url user password and number). So, what is other approach?

What is important - I have a client written in Java/PHP/Obj-C (simple, small application) - anyway not in C#.

whoah
  • 4,363
  • 10
  • 51
  • 81
  • 1
    I'd recommend to use a custom `UserNamePasswordValidator` and consume it e.g like [this](http://stackoverflow.com/questions/6652227/how-to-consume-a-wcf-web-service-that-uses-custom-username-validation-with-a-php). Note: This pattern does not support tokens and requires to validate the username and password before every service call! – Stefan Over Jan 02 '14 at 14:11
  • after reading that example, it is still unclear for me.. can you give me some other examples? Regards! – whoah Jan 02 '14 at 15:36
  • I used [this](http://www.codeproject.com/Articles/96028/WCF-Service-with-custom-username-password-authenti) example when implementing it on my own. It works very well by now (I use a console application as consumer). – Stefan Over Jan 02 '14 at 15:48

2 Answers2

0

Write Login method and use ASP.NET auth cookie (forms based authentication), see this. Or use Basic authentication and let client to authenticate by http standard way.

Arci
  • 588
  • 7
  • 20
0

You have to distinguish between Authentication (who is it) and Authorization (what can he do than). For the first you have a variety of options where Windows (the logon credentials of the user) or Basic (username + password) are most straightforward. This is just a manner of configuration on the service side.

On the other hand, authorization can be done on identity (which user is it) or by role (which roles apply to this user). The latter is possible "in code" with if/else constructs but also with attributes on the method [PrincipalPermission(SecurityAction.Demand, Role="Administrator")]. This specifies that you "demand" that the user accessing the method has the "role" administrator (something you specify yourself).

To supply roles to the identity you need some sort of role provider, obviously it is not something the user can provider. Therefore you can use the ASP.NET RoleProvider or a Secure Token Service that stands in between.

You can read more about it here: http://msdn.microsoft.com/en-us/library/ff405740.aspx

riezebosch
  • 1,950
  • 16
  • 29