Authentication in WCF for every call

Question

I'm consuming a lot of WCF Services from a Silverlight application in a totally disconnected-way.

I want to ensure that I know the user who is calling every service and I don't know if there is a "standar way".

I've thought of a Login method to get a Token and then pass the username and its token in every call to ensure he/she is logged and has permissions to execute it.

Is there any "almost-done" way with ASP.NET authorization in my own SQL Server? Or I can only use its tables but I'll have to do it "manually"???

Thanks in advance!!!

I don't know if ASP.NET authentication will make everything for me. I mean, if I add ASP.NET authentication to my WCF services, what will have I to do when I call every different service?? — zapico, Nov 08 '11 at 17:34

score 5 · Accepted Answer · answered Nov 09 '11 at 15:36

It sounds like using ASP.NET Membership might be a good fit for you. There's two approaches you an use with this. The first is to use the default membership tables as generated by aspnet_regiis. This option has the advantage of being basically done for you. In this case, all you'd need to do is run the aspnet_regiis tool, then add the necessary portions to the Web.config for your WCF service as described here. Then, when calling the service you need to set credentials for your binding as described here - specifically the portion about setting ClientCredential for your binding when consuming the service.

The other option is to write your own custom membership provider as described here. This allows you to do whatever you want behind the scenes in terms of storing and managing your users, rather than using the pre-built ASP.NET mechanisms. This is a good approach if you're mating with an existing user base or want to have more control over how things are implemented.

Also, keep in mind that ASP.NET Membership isn't your only option for securing your WCF service. Spend some time reading up on your options, which include:

Windows Authentication and Windows Authorization via transport level security on basicHttpBinding
Windows Authentication and Windows Authorization via message level security on wsHttpBinding
UsernamePasswordToken Authentication with ASP.NET Membership and ASP.NET Role Authorization via message level security on wsHttpBinding
UsernamePasswordToken Authentication with custom validator via message level security on wsHttpBinding
Authorization using a custom Authorization Policy
Impersonation using Windows credentials

That list comes from this blog post, which is a good place for you to start exploring your options. Reading up on them will give you the opportunity to learn the strengths, weaknesses, and features of each so that you can choose the one that best suits your purposes. You can also begin with the MSDN articles on WCF security here.

In summary, yes there is an "almost-done" way to do it with ASP.NET Membership, and it shouldn't be too hard to implement, but take some time to explore your other options as well before just diving in with one, because they all have trade-offs and you don't want to have to re-implement it in the future if you decide the approach you chose is a bad fit.

Thanks a lot for your answer!!! I've made my first custom membership provider in a test and now I'm trying to use the ASP.NET Membership. My only doubt here is how am I going to know who is calling each service?? I Know the user is send in every call but after execute the "Validate" method in my custom validator... I don't know how to get the user who is executing the service (I want to return different data if it is a user or an administrator for example ;-)). Thanks again!! — zapico, Nov 09 '11 at 17:48
Have you tried using `ServiceSecurityContext.Current.PrimaryIdentity`? — Zann Anderson, Nov 09 '11 at 17:51
Wow!!! This is awesome!!! And if you use ASP.NET Membership... can you see the user role for example?? — zapico, Nov 10 '11 at 08:37
Roles I'm not as familiar with, you'll have to do some research and see what you can find, sory. — Zann Anderson, Nov 10 '11 at 15:17

Surjit Samra · Answer 2 · 2011-11-09T16:33:17.030

1

One way to do this is if you can impersonate all users for that You need to add following in your service behaviour

<serviceAuthorization    impersonateCallerForAllOperations="true"  />

more details here http://msdn.microsoft.com/en-us/library/ms731090.aspx

and if you want to know the user then inside your service methods you can use

 System.Threading.Thread.CurrentPrincipal.Identity.Name

to find the user name who is using your services

Edit:

You can use membership api details here

http://msdn.microsoft.com/en-us/library/ms731049.aspx

http://blogs.msdn.com/b/pedram/archive/2007/10/05/wcf-authentication-custom-username-and-password-validator.aspx

http://social.msdn.microsoft.com/forums/en-US/asmxandxml/thread/8a679fb2-e67e-44a9-b491-eb95d5144068

edited Nov 09 '11 at 16:33

answered Nov 08 '11 at 20:47

Surjit Samra

4,614
1
26
36

How do I know who is calling the service in this case? Can I have a table with users and their passwords? – zapico Nov 09 '11 at 08:29
1

Updated answer for how to use membership wcf – Surjit Samra Nov 09 '11 at 09:33

Authentication in WCF for every call

2 Answers2

Linked