I have a WCF Web Service which is being consumed by a C# client application, and I also have 4 groups stored in Active Directory. Client application should connect this web service by passing login credentials.
Requirement:
Question:
How to authenticate or validate logged in user on connecting to this web service, which event handler function will be invoked to validate logged in user credentials.
If anybody knows about this then please do let me know
You need to two keep concepts apart:
AUTHENTICATION is the process of determining who it is that's calling you, and making sure he really is who he claims to be; this can be done using username/password, Windows credentials (he had already authenticated himself to his Windows box through logging on), or by requiring the caller to have some information (certificate)
AUTHORIZATION is the process - once you know who is calling you, to determine what that caller can do (or what he cannot do)
In order to use Active Directory groups, you need to use a security mode in WCF that supports Windows credentials. The easiest is to use Windows credentials from the beginning, which is the default for wsHttpBinding and netTcpBinding - in this case, the caller will always pass along his Windows credentials with every call, and you can inspect those on the server side by looking at the ServiceSecurityContext.Current.WindowsIdentity
:
WindowsIdentity caller = ServiceSecurityContext.Current.WindowsIdentity;
This works well in an Intranet scenario - everyone is behind a corporate firewall and authenticated on their machines anyway. In order to enable this, just use wsHttp or netTcp binding (I'd recommend netTcp in this case).
The other slightly more complicated case is when you have your client present a X.509 certificate, and you then map that on the server side to an existing AD user in your network. That's rather advanced, however.
Once your caller is authenticated, e.g. you know who is calling, you can use the regular role-based security model to limit privileges. Just add [PrincipalPermission(....)]
attributes to your methods that you want to protect, and if the user doesn't match any of those requirements, a security exception will the thrown and the method will not be executed.
[PrincipalPermission(SecurityAction.Demand, Role = "Administrators")]
[PrincipalPermission(SecurityAction.Demand, Name = "JohnDoe")]
public string SayHello(string caller)
{
......
}
You can have multiple of those "PrincipalPermission" attributes, and they're matched together in an "OR"-fashion - if any one of them matches the current caller, he'll be allowed to make the call.
Check out page 4 of this article Fundamentals of WCF Security for more details on how to use role-based security.
Marc
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With