Does WCF have an equivalent of MVC's [Authorize] attribute?

Question

I want to decorate certain Operation Contracts with an attribute to authorize the caller by custom logic, something like this:

[ServiceBehavior]
public class Service1
{
    [OperationContract]
    [Authorize] // ?? this should make sure only admins can call this method
    public List<SampleItem> GetCollection()
    {
        return new List<SampleItem>() { new SampleItem("Only Admins see me") };
    }
}

The [Authorize] should check if the caller is entitled to call this operation; if not - it should return an error fault.

Thanks.

score 21 · Accepted Answer · edited Nov 11 '16 at 05:21

21

Not out of the box - but WCF top-guru Juval Löwy had a very interesting article in MSDN Magazine about Declarative WCF Security which goes in the same direction.

Juval identified several key security scenarios, and wrapped each of them up into a WCF service behavior to be applied as an attribute on your service class on the server side. Quite an interesting read indeed !

edited Nov 11 '16 at 05:21

Daniel

2,744
1
31
41

answered Jan 09 '11 at 20:55

marc_s

732,580
175
1,330
1,459

1

Not only is this a good answer, but you're so close to 100k that you deserve an upvote. Rock on! – Maxim Zaslavsky Jan 10 '11 at 00:01
1

" In this column, I present my declarative security framework." - great read. – Dmitry Sadakov Jan 10 '11 at 04:44
In sum for your questions the article basically wants you to use: [PrincipalPermission(SecurityAction.Demand, Role = @"WindowsRole or CustomRoleName")] Additionally: https://msdn.microsoft.com/en-us/library/ff647503.aspx – hidden Oct 15 '15 at 22:52
1

I couldn't read any of the content with Windows 10 HTML Help. Solved it by following these steps: "[...] On most versions of windows you must first save these files to your local machine, and then unblock the file in order to read it. To unblock a file, right click on it, and select properties, and then select the ‘unblock’ button. The content will then be available to read." —[MSDN Magazine Issues](https://msdn.microsoft.com/en-us/magazine/msdn-magazine-issues.aspx) – bob esponja Dec 23 '16 at 08:56

Ladislav Mrnka · Answer 2 · 2011-01-09T21:26:01.913

3

WCF doesn't have any special attribute for this purpose but you can use PrincipalPermissionAttribute - common approach for declarative role-based security in .NET.

edited Jan 09 '11 at 21:26

answered Jan 09 '11 at 20:16

Ladislav Mrnka

360,892
59
660
670

score 2 · Answer 3 · edited May 23 '17 at 12:10

2

In my WCF application, I've largely overrided all the default authentication and authorization stuff, and I use some custom processing of the PrincipalPermissionAttribute to check my custom security permissions.

I have some code snippits of how I did this in this post: .NET Declarative Security: Why is SecurityAction.Deny impossible to work with?

edited May 23 '17 at 12:10

Community

1
1

answered Jan 09 '11 at 23:26

CodingWithSpike

42,906
18
101
138

Does WCF have an equivalent of MVC's [Authorize] attribute?

3 Answers3

Linked