I have multiple NET.TCP services that provide access to my apps bussiness logic layer. I want to authenticate clients with username & password, within all the services, from one dedicated authentication service.
I have thinked that I can generate a custom authentication ticket when the authentication service logons the user and send it to other services. However when talking about security I prefer to use builtin implementations that have been already tested.
Is there a more WCF way to do this? Should I ever try this, or share the authentication logic and authenticate every service?
Thanks in advance
Yes, the (new) WCF way to do this is to use a (or implement your own) security token service based on the windows identity foundation framework.
Related
How to implement authentication security in WCF?
Means if any user is registered, than only be able to use service.
One way:-
Like, a mobile application at the time of installation update unique key with application Database.
So when client tried to connect with WCF service and if the key match then only be able to connect with service.
I want to know is there some other way to prevent unauthorized access for service?
You can read through this link Programming WCF security.
Read this link to Implement CustomUserNamePassword Authentication
You can configure your bindings to perform CustomUsernamePassowrd Authentication where you validated if the username and password are valid and if so you grant access to the service else deny.
I have several Silverlight, WP7 and ASP.NET MVC client applications Most allow anonymous access to the application but secure various features based on a user's credentials when logged in. All of the clients use a common back-end service application for data access and business processing which require the user's credentials for authentication and authorization.
We currently use Forms Authentication in all client applications and I'd like to migrate our architecture to use federated identity and a claims-based model. Passive federation is not an option.
I am looking for the following flow:
The user triggers the login dialog, enters their username and
password then clicks "OK".
Behind-the-scenes, the application calls an active STS service in
our existing service application for authentication.
The service is actually a federated STS and passes the call through
to the (active) IP_STS which may or may not be ADFS.
When the IP returns the token to the FP, the FP modifies the token
with additional claims from the server data store before returning
the token to the client application.
The client application maintains the token in memory for
authorization checks (in Thread.CurrentPrincipal, for example).
The client also passes the token when making requests to other
service operations in our service application.
These service operations will use the token to
authenticate/authorize the request.
This is a very different use-case from any of the articles and samples I've been able to locate. Can anyone provide some guidance and/or point me in the right direction?
It is my understanding from Dominic Baier that WIF doesn't currently support the approach we are taking. We've taken his suggestion and created our own custom STS that moderates authentication using the Provider model.
Unfortunately, the farther we got into this, the more we realized that WIF isn't flexible enough to satisfy our needs at this point. We stuck with the custom STS approach but are using our own transport and credentialling rather than the WIF tooling. Hopefully a future release will give us what we want.
I have a requirement to expose my wcf services to other vendors. For internal client's the authentication is pretty straight forward i.e. to use Windows Authentication with AzMan role provider.
My next step is to expose the same services to external customers. Since they are not on our Network, I'm wondering how I could implement the Role Based Authentication so that I can grant/deny the request to particular Operation.
Any help will be greatly appreciated.
Thanks.
If it's a software communicating with your service - Certificate authentication.
If it's a human - Username/Password
I would suggest configure AzMan to use ADAM (Active Directory Application Mode). This way you can have own database (AD) of external users with your defined roles, and AzMan will call that ADAM to check user roles. I've done it and it works fine. Here is the link for how to implement it: How To: Use ADAM for Roles in ASP.NET 2.0
please help. Half of the kingdom for a correct answer!!!
Is it possible to use WCF Windows authentication with the anonymous access option? My WCF service deployed in the AD domain, and there are some clients outside of the domain. Can I use windows authentication to get client credentials for users that are in the AD and the same time allow access to the users they are not in the domain? Thanks.
P.S. Sorry for poor English.
To do this you need to create a service configuration that exposes two different endpoints. One endpoint would use your current config. The new endpoint would be for the non-AD clients and you would configure it using the options listed here. For anonymous access, you could pick an unsecured client configuration. If your service host is IIS, you may need to have two different sites/applications because I believe enabling Windows authentication will disable anonymous access.
I am working with WCF Webhttp services. I have created a bunch of services and all that remains is to put in user authentication...
Questions
Keeping with the rest architecture style, should I authenticate each service call against the user db.
If so, I should just do authentication by supplying the credentials and password each time the service is called and make it secure with SSL. Basically, each webget/webinvoke function should contain the user credentials as parameters and I authenticate each call. Is this right? This seems rather inefficient.
Using session key somehow seems wrong but any pointers as to how to use Session in WCF Webhttp?
I am not working with ASP .net membership (will be looking into it soon) since I was working with Mysql and have my own registration/user database created. Should I be looking at that? Can I use a wcf authentication service along with wcf webhttp services?
Any literature on handling authentication in WCF webhttp services would be greatly helpful.
Many thanks
You can check Chapter 8 of RESTful .NET book (Amazon, Google books)
You will authenticate only the first call from the user, any subsequent calls will use the context of the authenticated user. There are several options how you can use SSL(TLS), like always or just when you send username/password.
I am not sure where exactly and how you store the authentication token (like in Session or similar type).
You don't need to use ASP.NET membership provider, in fact you may not use any membership provider at all, just use other authentication models. Usually, there will be only one authentication model per service, like you get the credentials, check them against persisted storage, if valid you set the security token and that token is used for all the next calls for a limited amount of time.