Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

WCF/ASP.NET Authentication

Tags:

asp.net

wcf

wcf-security

My scenario is a 3-Tier app where the data tier is a SQL Server database, the middle tier is a WCF application hosted in a Windows Service and finally the presentation is an Asp.Net MVC application.

As usual, the middle tier is the one that performs all of the business logic. Access database, define business rules.. etc.

Okay, so far so good! BUT now here's question: How do you handle security in such a scenario? I mean, the user has to log in on the ASP.NET application, but I want to authenticate it not only in ASP but in the WCF middle tier as well, since a WCF service is supposed to be accessed by more apps.

I want the user to log in on the Asp.Net application and let WCF know the credentials as well. Is there some kind of session in WCF in which to specify a logged in user?

How do pros handle security in this case? I know you can secure the WCF services with message security, but how do Asp.Net and WCF sync on a single logged user? I want to secure WCF operations depending on the user for authorization means.

like image 454
Luis Aguilar Avatar asked Jan 27 '11 04:01

Luis Aguilar

People also ask

How can I add authorization header to the request in WCF?

MessageHeader header = MessageHeader. CreateHeader("Authorization", "", "Basic Y19udGk6Q29udGlfQjNTVA=="); request. Headers. Add(header);

1 Answers

I would suggest looking into using an approach like HMAC (Hash Message Authentication Code) for your security, or a similar token-based approach. The idea would be to sign your requests to your WCF layer which can be used to authenticate the request and identify the user making the request.

The essential elements would be a token and a shared secret of some sort used for signing each request. The token would allow you to identify the user on the WCF end, and lookup the shared secret to verify the request. You can also added timestamps / nonces to prevent replay attacks and such.

I've used this approach for some REST services built on WCF - with the added benefit that clients do not need to store usernames and passwords, just the security tokens used for communication. In your case you'll need to sort out how to exchange the tokens between the ASP.NET layer and the WCF layer, but it would provide you a unified authentication method for any consumer of your WCF services.

like image 90
efalconer Avatar answered Oct 16 '22 04:10

efalconer
Sign in to Comment

Related questions

Why is my code apparently calling LocalDataStoreMgr.GetNamedDataSlot?
Project dlls are missing in Modules window
How should a C# Web API model binder provider work?
WebApi Application: Error 404.0, Handler StaticFile
dropzone multiple area's in same form
Localized resources not loaded
Compiler Error: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\014679fc\1b393534\App_Web_glpoum5i.dll' could not be found
Use QueueBackgroundWorkItem with User Identity?
Azure web application suddenly gives 500 errors
Accessing client certificates from an HTTP Request
bundle optimization in distributed software architecture
How do I authenticate against Active Directory from ASP.NET web service code?
Asp.Net MVC - Plugins Directory, Community etc?
Help me come up with a deployment strategy
ASP.Net Web Site Project vs. Web Application Project [duplicate]
Get binding column name of templatefield's texbox
NHibernate Session and Transaction management in HttpModule
ASP.NET MVC - Posting a form with custom fields of different data types
Compiling Code in Medium Trust
Posting image/video to MySpace using API?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!