I am using a WCF authentication service I set up with a web application. I have successfully set up and tested the AuthenticationService and RolesService. The web application can successfully call methods like ValidateUser and GetRolesForCurrentUser through the WCF services.
I want to integrate the WCF authentication service with my web.config and site.map. Do I need to write a custom provider, or is there some way I can modify the web.config of the web application to use the WCF authentication service as its membership provider?
This way I can set what roles have access to what directories based off the WCF authentication service.
Application Services are not intended as a replacement for the provider stack.
They are meant to augment and enable usage from context other than .aspx.
In most cases you may simply use the default provider stack (Membership/Roles/Profiles).
You simply need to pass the cookies that you get when you call 'Login' via app services around in the context of the service call.
See here for some more information about adding cookies to a WCF call.
If you are using AJAX to call the services, you don't have to do anything, simply authenticate via ajax and then call via ajax.
Skys answer doesn't seem to answer the question?
It seems to me that there is a genuine need to call the WCF AuthenticationService from an ASP.NET application?
Consider a three tier application where all database access is mandated to be performed by the application tier. There is a single database (data tier) containing business data as well as membership data.
I have written a three tier implementation whereby a custom MembershipProvider on the presentation tier invokes the AuthenticationService on the application tier which in turn runs my custom authentication routine.
I could quite easily create a custom WCF service (eg not AutheticationService) which does this authentication but I try to use .NET objects where possible.
it would be nice if I could tell ASP.NET to use the AutheticationService without needing a custom membership provider but I dont think this is possible?
Related
I have a WPF application that uses Client Application Services to allow authentication (username/password logon) against a related web application that uses Forms authentication and the SqlMembershipProvider/SqlProfileProvider/SqlRoleProvider. This all works and I can reliably validate a user/password combination.
The WPF application also calls a number of WCF services that are exposed by the same web application as is used for the CAS authentication. I now want to be able to pass through the authentication details (from Client Application Services) to the WCF services in order that I can identify the user that was authenticated within those services. I also need to be able to prevent the WCF services from being used if no authentication has taken place.
I have found a couple of .NET 3.5 examples where CAS authentication is used against .asmx web services, or authentication is provided against WCF Data Services which does not use ClientBase and has authentication facilities built in, but I cannot find any examples with pure WCF. Can anybody point me toward instruction that will enable this scenario? I am using .NET 4.0 for this project.
I have also found this stackoverflow question but again this is answered for .asmx web services and not for WCF.
The closest I have gotten involves the creation of an OperationContextScope and then copying the cookie header from the ClientFormsIdentity object to an HttpRequestMessageProperty and adding this to the OutgoingMessageProperties of the current OperationContext. I then call one or more methods of the service within the lifespan of the OperationContextScope. Thing is, when I then get to the WCF service, I still cannot see anything that resembles authentication in such a way as I can identify the original user. This methodology has been taken from various examples but I am obviously missing a step at the WCF end.
I think you need to switch to the Web API that Microsoft is now having people use for WCF Services. Check out Using Forms Authentication with Web API and http://aamirposwal.blogspot.com/2012/05/aspnet-web-api-custom-authorize-and.html
Found it.
In my binding, I specified allowCookies="true".
According to Wiktor Zychla, "setting the AllowCookies property on a BasicHttpBinding to true turns on the automatic cookie management" - this means that any attempt to set a cookie in code will be ignored and this is what I was doing.
We write a WCF web service.
How can we call it's methods in JSON format?
An additional issue is how can we secure our web services.
I'd like to use Microsoft Membership and Roles providers for users authentication and authorization. The question is how to do this. Is it possible to do authentication and authorization behind-the-scenes (in context of WCF), or I must call ValidateUser() and IsUserInRole() in every web method for every user call?
Whether I restricted to use webHttpBinding (over wsHttpBinding) because our client-side programmer familiar with AJAX/JSON? Whether there are any restrictions of webHttpBinding concerning using Membership/Roles comparably comparably to wsHttpBinding?
Thanks a lot in advance!
Ilan.
My server side contains WCF4 REST services and I'm going to add RIA services for my future SL4 application. Currently I'm doing Basic authentication like this:
var auth = HttpContext.Current.Request.Headers.GetValues("Authorization");
And so on.. You get the idea.. I call this on every request. If header not present or I can't validate UN/Password - I do this:
outgoingResponse.Headers.Add("WWW-Authenticate: Basic realm=\"Secure Area\"");
That got me by so far but I'm refactoring my server side. Implementing IoC for linked services. Created custom ServiceHost, ServiceHostFactory, InstanceProvider and all is well.
Now I need to figure how to properly handle authentication and authorization with WCF so I don't have to manually inspect headers. I do have my custom MembershipProvider so there have to be some method that get's UN/PW to process.
Any pointers? I looked at http://www.codeproject.com/KB/WCF/BasicAuthWCFRest.aspx but it uses RequestInterceptor and it is not available in WCF4. I found ServiceAuthenticationManager and ServiceAuthorizationManager but there is no samples available on how to code and wire those..
Can anybody suggest which way I should go?
Try to use this custom HTTP module. It will add new authentication mode to IIS and it will allow you using custom credentials validation.
I had all types of issues using the built-in annotations for WCF in a recent SOAP/C# project. I know this isn't the best solution, but for my purposes, I enabled basic authentication in IIS7 for my application, disabled anonymous authentication and created Active Directory users for the external clients that would call the web service endpoints. I then changed the application's permissions in IIS7 (it uses file system permissions) to allow a group containing those users.
This moves authentication outside your application, which may not be what you want, but does allow you to easily add users via the IIS7 console and deployment tools that can copy those permissions. The advantage is that you don't have to redeploy your application for permission changes. The disadvantage is you can't do fine grained permission control per function.
I am currently working on a project that has an iPad application that uses JSON to call WCF services hosted with IIS. One of the requirements is that the WCF services needs to use IIS Basic Authentication to login. Once the user has been authenticated from the database, a few values need to set to a cookie for return trips to other WCF functions (similar to asp.net session variables). Is this possible with WCF and using cookies to hold state? If not, any recommended method?
Thank you.
WCF absolutely supports basic authentication. http://msdn.microsoft.com/en-us/library/ms733775.aspx has details on this. WCF will then identify this user on all messages that come through.
If you want to implement a customer authorization mechanic, you will need to implement ServiceAuthorizationManager. I've recently done something similar where I have iOS clients that use OAuth to authenticate with our services. I have this implemented a ServiceAuthorizationManager to determine who they are and what privileges that they have. Might be worth looking into.
I need help on securing my WCF Service so that only authorized users can make a call to service methods.
The WCF Service is configured with wsHttpBinding and is hosted under Windows Service.
The client application is an asp.net website. Also, the users making call to WCF service are already authorized by client application, so just need to make sure that they are authorized while handling the request on service side.
Please guide me on what are the different ways (along with their pros and cons, if possible) to achive above.
Thank you!
If you are using the ASP.NET role provider infrastructure, you could pass the user on and leverage the same provider via WCF. This would be nice as it would maintain logic across the process boundaries.
If you are using Windows groups for ASP.NET, the same would apply, just re-authorize.
Certificates are an option, but then you have to manage them.
Lastly you could issue an access token and validate it on the WCF side. This could be done by extending WCF(probably at the contract level). You would then have to manage the token via some other service to enforce expiration etc.