Architecture of project
my wcf expose 11 endpoints,one of the endpoint ment for authentication and autherization. which returns the accountid of the user.this accountid is sent by client in every method for recozination.
need
i dont want to send the account id to every method ,all i want a way that can give me the accoint id automatically if the client is loggedin
Limitation...
1> i cant use membership.
2>i can,t use persession mode of wcf becose it creates new session for every endpoint
3> cant use outgoinfheaders on client side ..
is there any custom way to solve this problem
That looks like scenario for federated security but it would conflict with some of your requirements.
You don't need membership.
You don't need per session services
You need somehow pass the token - if you cannot use custom outgoing SOAP header and configure it in some central place, you will have to pass the token inside the message body and you will have to configure it as a parameter for each service call.
Related
I have a route which interacts with 4 http endpoints. the first http endpoint is an authorization service from which i will get one authentication token. What i want is once i get the token from the authorization service i will pass the token to each further http service in the header. so how can i achieve that? is there any way of creating a temporary variable using the token value and if i can place it in the context then in any endpoint i can set it.
or else i was thinking if i can invoke the authorization service once at application startup once and store the token somewhere and i can use it.
You can store properties on your exchange object:
http://camel.apache.org/maven/current/camel-core/apidocs/org/apache/camel/Exchange.html#setProperty(java.lang.String,%20java.lang.Object)
For example in my "pipeline" I'm storing ID from DB for later use:
from("quartz2://myScheduler?cron=0+0+6,14,22+*+*+?")
.to("sql:" + getNextID() + "?dataSource=#dataSource&outputType=SelectOne")
.setProperty("NextID", simple("${body[id]}"))
Then, the NextID is accessible from exchange exchange.getProperty("NextID")
You can use headers or properties
I have a WCF service that supposed to provide service to several clients.
The WCF will have a Data-Access-Layer that will communicate with the database.
This is part of my design idea : My Design
As you can see - each client will connect to the 1st WCF service for pulling information (get product, update product), and also to the 2nd WCF service in a pub\sub manner, so it would be able to receive notifications about different things it wants.
I have a table in the database for 'Users' with all the users in the system.
(there is an administrator, a normal user and a technician).
My question is - how do I do the 'logging' in from the client to the database ?
My current idea - have a function in the services called 'Connect ( username, password )' and when a client connects - it will pass the username and password to be authenticated in the database, and only if authenticated - the client will start sending commands.
Problem with this is - anyone can write his own client that connects to my service and runs other functions without authenticating. I can solve this by saving in the service whether or not the client has authenticated.
But is there a better solution that just having a 'Connect' function in the service ?
Hope there is something simple yet effective.
You should create a custom user name and password validator that derives from the UserNamePasswordValidator abstract class and implements the Validate() method. Then you can validate the provided user name and password however you want. To learn more about setting this up, read this article.
I'm wondering how I can restrict some methods from unauthorized user access. Let's assume I have a WCF service with the following contract:
int Login(string username, string password);
Invoice[] GetCustomersInvoices(int customerId);
A user should act in the following way:
Login to verify against the service and get his custumerId
fetch his invoices by invoking the corresponding method with his customerId
Well, that's maybe a stupid question, but what if customerA's id is 23, but somehow customerA knows customerB's id, which is 42. Now customerA could read customerB's secret invoice data...
What could I best do to avoid this?
You shouldn't use a single id for identifying someone. There are many ways of enabling authn/authz in WCF, I like the article at http://msdn.microsoft.com/en-us/magazine/cc948343.aspx for a good introduction on some ways of doing it.
Your current approach of calling methods will only work if you are able to implement secure(persistent) channel between client and server using SSL or any other such mode (typical scenario would be Baking Payments Getaways)
So IMO you need to implement your user authentication inside the method (no separate calls). i.e. you have to pass userid and password along with invoiceid to GetCustomersInvoices() method and inside it you need to authenticate the user and retrieve the data.
Following would be solution for such scenario,
Implement your own User Name Password Validations (custom usernameathentication), which will first authenticate the user and than it will call the method given. Since this will happen in one request so it will solve your problem.
Typical service method call would be like,
Service.UserName = "abc"
Service.Password = "***"
Service.GetInvoiceDetails(1233)
You can get the use of Message Headers and Body to pass your custom values, Webservices support such scenario where you can pass encrypted data in SOAP headers.
Alternatively you can use Certificates also, but these are not free.
In general you can go through following links to get more info in various kinds of security WCF supports,
http://msdn.microsoft.com/en-us/library/ms731925.aspx
I am consuming one java webservice with WCF client.
I want to pass user related information to service in header. I have aleady gone to through thread
How to add a custom header to every WCF calls?
I have implemented IClientMessageInspector interface with BeforeSendRequest() method. Now, I want to pass user related information in SOAP header like Oraganization, which may differ for every user. I have all this information in my ASP.net application, which uses this service.
Is there anyway I can pass user related information to this BeforeSendRequest() method from asp.net session and build Message header before sending any request?
There are few options
Put the information in Session and retrieve it in BeforeSendRequest
Put it in HttpContext.Current.Items and retrieve it in `BeforeSendRequest'
Use Thread Local Storage (http://msdn.microsoft.com/en-us/library/6sby1byh.aspx)
I have a WCF service which uses a custom authentication and authorization manager.
Each time a client makes a call the authentication manager looks for a message header and uses the information to identify the user. The user gets created as an IPrincipal and placed into ServiceSecurityContext.Current.AuthorizationContext.Properties["Principal"].
I noticed on subsequent calls, where the users is different, the old user info is in the Current context. My service is tagged as PerCall. I am stumped on why the context is not getting cleared for every call.
Or is OperationContext different lifetime from SecurityContext?
If so any ideas on how to achieve what I described above? Thanks for help.