0

I know for WCF to work with a membership provider you have to explicitly configure it: (e.g. http://www.codewrecks.com/blog/index.php/2009/09/08/use-aspnet-membership-provider-with-a-wcf-svc-service/)

But if you already have the ASP.NET site using it, can't you prevent anonymous access to the service simply by doing the following?

  <location path="PathToWCFService">
    <system.web>
      <authorization>
        <deny users"?" />
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

Assuming this works, then I would guess WCF wouldn't have access to the membership information? Any other reasons why this might be a bad idea? Thanks!

Edit: Any other way to use WCF with the membership provider that doesn't require maintaining a certificate?

Nelson Rothermel
  • 9,436
  • 8
  • 62
  • 81
  • No you cannot - WCF is really not tied to ASP.NET in any way, shape or form and by default doesn't use the ASP.NET processing pipeline. After all: your WCF service could be hosted in a Windows Service or a console app - no trace of ASP.NET anywhere around there. So no - you do have to explicitly define your WCF security - no "trickle down" from ASP.NET, I'm afraid..... – marc_s Jul 21 '10 at 17:14
  • @marc_s - I was thinking IIS might actually be the one that handles the access, but it makes sense that it's ASP.NET. After all, the provider code is in .NET. But in that case, why does the authentication work for static files? In other words, if I have an "Images" directory with no ASP.NET pages, I can control access in the web.config. Do the static files go through the ASP.NET pipeline? – Nelson Rothermel Jul 21 '10 at 17:19
  • @marc_s - your thoughts on my answer? – Sky Sanders Jul 22 '10 at 15:41

1 Answers1

1

Ok, I usually am comfortable deferring to marc_s, but in this case, I think his comments may be not entirely accurate.

The thing I think he is disregarding is that hosting a service in ASP.NET is entirely different than self hosting.

When you host a service in an ASP.NET website, the host factory is managed by ASP.NET and is actuated by accessing the .svc endpoint, which is served by ASP.NET.

So, while participating in and having access to the ASP.NET context for a service is opt-in, ASP.NET most certainly does process the request.

And so, yes, you may guard any .svc endpoint with ASP.NET authorization as you show.

So you have it guarded against unauthenticated access. What now? How to authenticate a client so that it may access your service?

That is where the link you provide for using membership/authentication with a service.

So, in your question, you are describing the two reciprocal aspects of protecting an ASP.NET hosted wcf service with the membership provider stack but perhaps are viewing them as either/or.

Now, I could be mistaken, but this is how I understand it and how I have implemented it in the past.

Good luck.

And yes, there are methods of protecting a service with membership that do not involve a certificate but they typically have either a bit of smell to them and/or require a BasicHttp or WebHttp binding.

I am happy to explore this with you more if you like.

Sky Sanders
  • 36,396
  • 8
  • 69
  • 90
  • `So you have it guarded against unauthenticated access. What now?` I think it depends how it's being used. The ` – Nelson Rothermel Jul 22 '10 at 15:13
  • In my specific case the authentication doesn't time out (yes, I know the implications). Unless the user goes to the authenticated page and then clears their cache/cookies, the AJAX call should always work. There are no AJAX calls to the service from an unauthenticated page and if there were, I could have two services. Unless I'm wrong, if all I want is to make sure they are authenticated, in my specific case it should be mostly OK. If I want to check roles I can still do that in the web.config, but I couldn't require different roles for different methods unless I split the service. Am I right? – Nelson Rothermel Jul 22 '10 at 15:18
  • Last thing... If I'm using the service within the context of a local webpage as I previously stated, this may work. If I need authentication for a service that will be accessed by another website, Windows client app, etc. then I would have to connect the membership provider to the WCF service. – Nelson Rothermel Jul 22 '10 at 15:33
  • @nelson - it wasn't clear in your question that you wish to use AJAX to access your service. That certainly simplifies matters, as the XHR will use the browser's cookies. Handling authentication timeouts is certainly a challenge but is manageable without having an eternal session, see http://stackoverflow.com/questions/2234348/notify-user-when-session-time-out-in-asp-net/2234421#2234421 – Sky Sanders Jul 22 '10 at 15:34
  • @nelson r.e. 'last thing': in this cas you would leverage ApplicationServices, which is designed to support such scenarios. But again, the actual requirements of you implementations will bear heavily on which route is appropriate and the permutations are far to great to elaborate on without much more specific requirements. – Sky Sanders Jul 22 '10 at 15:37
  • @neslon - regarding handling login redirects - I hate them. the MS implementation is broken, has been since the beginning and still is. See http://www.codeproject.com/Articles/39062/Salient-Web-Security-AccessControlModule.aspx for more information about the issue and how you can eliminate it completely. – Sky Sanders Jul 22 '10 at 15:40
  • Sorry that I didn't specify AJAX earlier. I didn't realize at the time it was useful context for the problem domain. Anyway, thanks for all the insight. I'm no expert on this yet, but I do have a much better understanding. I also agree on the redirect issues. I have come across some of them and most solutions are kludgy at best. – Nelson Rothermel Jul 22 '10 at 15:59