I'm currently working on a backend infrastructure and I could need some advice.
First, here is the current global architecture:
- I have WCF services hosted in IIS
- I have multiples databases hosted on SQL Server. One
ClientDatadatabase per client and one globalMasterDatabase. MasterDatabasecontains a mapping of credentials associated to a connection string. That database allows me to use the appropriateClientDatadatabase (via Entity Framework) depending on the credentials provided.- I'm using Basic Auth over SSL.
- Credentials verification are done in overridden method
checkAccessCore()in myServiceAuthorizationManagersubclass. Inside that method, I fetchMasterDatabase, ensure credentials are correct (password are saved in DB using Bcrypt) and retrieve the connection string. - Once the connection string is retrieved, I create an instance of my class
CustomIdentitythat inherits fromGenericIdentity. Using that instance I can then set theThread.CurrentPrincipalproperty. - Each WCF service implementation retrieves the connection string from the
CustomPrincipalin order to fetch data from the appropriateClientDatadatabase.
My questions/thoughts are the following:
If I decide to use concurrency in my WCF services, how will I handle that due to the fact that
CheckAccessCoreis a method of a WCF extension that force concurrent operations to run sequentially?http://support.microsoft.com/kb/KbView/2907010
This means that all my call will be enqueued and blocked at the
checkAccessCorelevel.Overriding
checkAccessCoreis the best way I found to intercept calls early in the call stack in order to verify user credentials.Should I use a different way to transport the client connection string other than over the custom identity? Is it secure?
If I use concurrency, I guess the identity set into the CustomPrincipal will be overridden. If yes, how to handle that?
