Authenticated WCF: Getting the Current Security Context

Question

I have the following scenario:

• I have various user's data stored in my database.
• This data was entered via a web app.
• We'd like to expose this data back to the user over a web service so that they can integrate their data with their applications.
• We would also like to expose some business logic over these services. As such we do not want to use OData.
• This is a multi-tenant application so I only want to expose their data back to them and not other users. Likewise, the business logic we expose should be relative to the authenticated user.

I would like let the user use an OASIS scheme to authenticate with the web service -- WCF already allows for this out of the box as far as I understand -- or perhaps we can issue them certificates to authenticate with. That bit hasn't really been worked out yet.

Here is a bit of pseudo-code of how I envision this would work within the service:

function GetUsersData(id) 
 var user := Lookup User based on Username from Auth Context
 var data := Get Data From Repository based on "user"
 return data
end function

For the business logic scenario I think it would look something like this:

function PerformBusinessLogic(someData)
 var user := Lookup User based on Username from Auth Context
 var returnValue := Perform some logic based on supplied data
 return returnValue
end function

The hard bit here is getting the current username (or cert info in the cert scenario) that the user authenticated with!

Does WCF even enable this scenario? If not would WSE3 enable this?

Thanks,

Answer 1

Shouldn't really be too hard, I think:

• if your users authenticated with a Windows user credential at your WCF service, you'll be able to find their credentials under

  ServiceSecurityContext.Current.WindowsIdentity
  

• if your users authenticated with a certificate, you'll find their identity (which is going to be a CertificateIdentity instead of a WindowsIdentity) under

  ServiceSecurityContext.Current.PrimaryIdentity
  

Given a Windows identity, you can also impersonate that caller for subsequent calls down into your business or data layers, if needed - check out the MSDN docs Delegation and Impersonation with WCF, or Google or Bing for "WCF Impersonation" should give you a truckload of valuable links on that topic.

If neither the Windows nor the certificate path work for you, WCF also enables you to create your own custom authentication scheme, in which case you'd need to write an extension for WCF, plug it in, and you'd get username/password of your calling users sent to you to validate against any kind of custom store you might have.

WCF gives you a lot of flexibility in many ways - I highly doubt you'll find a scenario that works in WSE3 but doesn't work equally well (or better) in WCF!