Different Security for different Service operation in WCF

Question

I am designing and testing WCF Services and exposing them as SOAP Web Services.

I have my service classes divided logically. I have an Account service. To access the account web service you have to provide a user name and password and an API token. I wrote a custom class extending UserNamePasswordValidator to taje care of the authentication and an IDispatchMessageInspector to check for the token.

A requirement has just surfaced where we want to provide some account checking without the user being authenticated. Logically these operation should remain in the Account Service. However the service Behavior is configured to require username, password and has an IServiceBehavior which adds an IDispatchMessageInspector the checks all massages for a token.

I have been reviewing all of the different extension points via Extending Dispatchers - Microsoft and WCF Extensibility - Carlos Figueira

I can seem to find a way to only apply security at the operation level. Or a way to configure the service so certain functions require security/token and other do not.

I'm new to WCF so it could be something simple but I haven't found it. If you know of an article showing how to secure different parts of a service in different ways or if you know how, please provide me with some info. Thank you.

Answer 1

As you want to allow/deny permission at operation level, you can set your methods with PrincipalPermission attribute.

You can use like this:

[PrincipalPermission(SecurityAction.Demand,Authenticated=false)]
void NotAutenticationRequiredMethod()
[PrincipalPermission(SecurityAction.Demand,Authenticated=true)]
void AuthenticationRequiredMethod()

As you want something more “flexible”, you can also use roles, so no recompile will be needed:

[PrincipalPermission(SecurityAction.Demand, Role = "CustomRole")]

You can read more here: https://msdn.microsoft.com/en-us/library/ff649821.aspx

At method level you can also check you the OperationContext.Current.ServiceSecurityContext object to verify if the request if from a authenticated user and make some decision.

Remember that SecurityContext can have different authentications:

string primaryIdentity = OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name;

string windowsIdentity = OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name;

Read more here: https://sankarsan.wordpress.com/2010/07/25/identity-securitycallcontext-in-wcf/

Hope it helps.