Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

WCF REST basic authentication on certain methods

Tags:

rest

c#

security

mobile

wcf

I have quite a few RESTful (GET and POST) methods implemented in WCF 4.0. All these work over SSL.

An example of some of the methods:

[OperationContract]
[WebInvoke(UriTemplate = "Login?", Method = "POST", ResponseFormat = WebMessageFormat.Json, RequestFormat = WebMessageFormat.Json, BodyStyle = WebMessageBodyStyle.Bare)]
LoginResponse Login(LoginRequest request);

[OperationContract]
[WebInvoke(UriTemplate = "UpdateDetails?", Method = "POST", ResponseFormat = WebMessageFormat.Json, RequestFormat = WebMessageFormat.Json, BodyStyle = WebMessageBodyStyle.Bare)]
UpdateUserDetailResponse UpdateDetails(UpdateUserDetailRequest request);

[OperationContract]
[WebInvoke(UriTemplate = "GetDetails?", Method = "POST", ResponseFormat = WebMessageFormat.Json, RequestFormat = WebMessageFormat.Json, BodyStyle = WebMessageBodyStyle.Bare)]
UserDetailResponse GetDetails(UserDetailRequest request);

I have looked through so many blogs and forums and I still cannot find something that meets my requirements. I need to implement basic authentication on some of the methods but not all. If you look at the examples above I require a username and password to be sent through for the UpdateDetails and GetDetails method, but not for the Login method. The username and password is then authenticated against a database. Is it possible to do something like this?

As a side note: these REST methods are called by many different mobile devices.

I have looked at the following sites and they all implement basic authentication over REST but they cover all the methods mentioned above.

  • http://msdn.microsoft.com/en-us/library/aa702565.aspx
  • Adding basic HTTP auth to a WCF REST service
  • http://custombasicauth.codeplex.com/ (links at the bottom don't work anymore)

Is it possible to do what I want to do?

like image 417
Dylan Avatar asked May 29 '12 12:05

Dylan

1 Answers

I created a BasicAuthenticationInvoker class which you attribute on the methods you would like to authenticate as follows:

  [OperationContract]
    [BasicAuthenticationInvoker] // this is the auth attribute!
    [WebInvoke(UriTemplate = "QuickQuote?", Method = "POST", ResponseFormat = WebMessageFormat.Json, RequestFormat = WebMessageFormat.Json, BodyStyle = WebMessageBodyStyle.Bare)]
    QuickQuoteResponse QuickQuote(QuickQuoteRequest request);

The actual class looks as follows:

 public class BasicAuthenticationInvoker : Attribute, IOperationBehavior, IOperationInvoker
    {
        #region Private Fields

        private IOperationInvoker _invoker;

        #endregion

        #region IOperationBehavior Members

        public void ApplyDispatchBehavior(OperationDescription operationDescription,
                                          DispatchOperation dispatchOperation)
        {
            _invoker = dispatchOperation.Invoker;
            dispatchOperation.Invoker = this;
        }

        public void ApplyClientBehavior(OperationDescription operationDescription,
                                        ClientOperation clientOperation)
        {
        }

        public void AddBindingParameters(OperationDescription operationDescription,
                                         BindingParameterCollection bindingParameters)
        {
        }

        public void Validate(OperationDescription operationDescription)
        {
        }

        #endregion

        #region IOperationInvoker Members

        public object Invoke(object instance, object[] inputs, out object[] outputs)
        {
            if (Authenticate("Client Name here"))
                return _invoker.Invoke(instance, inputs, out outputs);
            else
            {
                outputs = null;
                return null;
            }
        }

        public object[] AllocateInputs()
        {
            return _invoker.AllocateInputs();
        }

        public IAsyncResult InvokeBegin(object instance, object[] inputs,
                                        AsyncCallback callback, object state)
        {
            throw new NotSupportedException();
        }

        public object InvokeEnd(object instance, out object[] outputs, IAsyncResult result)
        {
            throw new NotSupportedException();
        }

        public bool IsSynchronous
        {
            get
            {
                return true;
            }
        }

        #endregion

        private bool Authenticate(string realm)
        {
            string[] credentials = GetCredentials(WebOperationContext.Current.IncomingRequest.Headers);

            if (credentials != null && credentials.Length == 2)
            {
                // do auth here
                var username = credentials[0];
                var password = credentials[1];

               // validate the username and password against whatever auth logic you have

                return true; // if successful
            }

            WebOperationContext.Current.OutgoingResponse.Headers["WWW-Authenticate"] = string.Format("Basic realm=\"{0}\"", realm);
            WebOperationContext.Current.OutgoingResponse.StatusCode = HttpStatusCode.Unauthorized;
            return false;
        }

        private string[] GetCredentials(WebHeaderCollection headers)
        {
            string credentials = WebOperationContext.Current.IncomingRequest.Headers["Authorization"];
            if (credentials != null)
                credentials = credentials.Trim();

            if (!string.IsNullOrEmpty(credentials))
            {
                try
                {
                    string[] credentialParts = credentials.Split(new[] {' '});
                    if (credentialParts.Length == 2 && credentialParts[0].Equals("basic", StringComparison.OrdinalIgnoreCase))
                    {
                        credentials = Encoding.ASCII.GetString(Convert.FromBase64String(credentialParts[1]));
                        credentialParts = credentials.Split(new[] {':'});
                        if (credentialParts.Length == 2)
                            return credentialParts;
                    }
                }
                catch
                {
                }
            }

            return null;
        }
    }
like image 138
Dylan Avatar answered Sep 18 '22 18:09

Dylan
Sign in to Comment

Related questions

LINQ to Entities query takes long to compile, SQL runs fast
Getting a users's groups in Active Directory
store retrieve IObservable subscription state in Rx
WCF: EndpointNotFoundException after running for a couple of seconds
App using saxonHE (9.2.1.1) api to process XSLT (v2.0) against multiple XML files
Line Endpoint Detection
How Do Exceptions Work When Using DLLImport
WPF UIElement refresh bug?
Capture the stream from microphone in WAV formatting
How can I decompile a batch of .NET DLLs into a Visual Studio project [closed]
C# Windows Forms does not open default browser after installation
Is it possible to see different forms of a word through the Word API?
Stay DRY with DTO's
Unit Test MVC with ASP.NET Dev Server
Query returning nothing when there is data in the database
ebay FindingAPI how to find items specified within a given day range
How to find out if a certain Point3D is inside the camera view bounds?
Expression tree - compile inner lambda in outer lambda - scoping resolution
How can I stop JIT debugger stepping in on a crashing wcf service?
Method resolution in extension methods with optional parameters

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!