6

I have a WPF client that connects to a WCF service, and I want to lock down some of the functionality so that only certain users can perform certain actions. The WCF service impersonates the client user when executing service methods. The OS is Windows XP.

I was reading this question as part of my investigation into the best way to apply user roles to features in my application (I want to assign users to AD security groups, and then check IsInRole), and am worried that cached permissions will allow users who have had their permissions reduced to access functionality they no longer have permission to. Conversely, I am also worried that users who have had their permissions upgraded will need to log out of their windows account, or even that the WCF service might have to be restarted (worst case scenario) before they can access the new functionality.

What is the simplest way to ensure that both client and server can immediately see changes to the AD security groups?

Community
  • 1
  • 1
Franchesca
  • 1,453
  • 17
  • 32
  • It is quite normal that changes in role membership takes some time to be propagated (including user new logon).For example if you have primary and secondary domain controller it can also take long time before changes are synchronized and user can still receive old permissions from the secondary controller. – Ladislav Mrnka Jul 14 '11 at 10:38
  • @Ladislav Mrnka I guess I will have to live with some delay, but I particularly want to avoid using locally cached permissions (on the user's machine). I have no idea whether the WCF service will make it's own request to check role membership while impersonating the user, or whether it receives these details from the client along with the identity. – Franchesca Jul 14 '11 at 11:11

1 Answers1

2

You can always implement your own membership provider that queries the AD. It's pretty easy and you'll be sure that all permission evaluations are accurate, or at least exactly as you want them to be.

If you find querying the AD server on each evaluation to be "expensive" on performance you can create your own cache on the client which you can force to refresh periodically or on demand. This cache can be as simple as an indexed list (like a Dictionary) of permissions that you can query pretty fast.

Here's a good article on how to interact with AD: http://www.codeproject.com/KB/system/everythingInAD.aspx

AlexCode
  • 4,055
  • 4
  • 33
  • 46
  • ok, that is a pretty comprehensive article, thanks! I guess I will have to try it out to see how slow the queries are, but doing it once on startup of the client is the bare minimum I need to plug the security hole I was most worried about :) – Franchesca Jul 15 '11 at 10:04