Reputation: 7831
.NET WCF permissions
I have setup a .NET WCF web service that will expose some methods to create/update email alerts for different contactsIds. The webservice is going to live behind the firewall.
My fear is that if we expose a call like:
bool SetAlertTemplate(int alertId, int templateId);
One of the client websites could modify unintentionally an alert that does not belong to the contactId that is using the website.
Even if i use:
bool SetAlertTemplate(int alertId, int contactId, int templateId);
It could create a problem in the future if we expose the webservice to the public. Where anyone could modify any alert.
What is the best way to expose a webservice and be sure that the client has permissions to modify the alert of a contactId, and hopully not sending these parameters with every call.
Upvotes: 1
Views: 402
Answers (1)
Reputation: 233150
Configure your WCF service to translate the authenticated user to a proper IPrincipal instance. This ensures that in the rest of the call stack, Thread.CurrentPrincipal will represent the authenticated user.
From your description it sounds like you need to protect assets (alerts), which means that you will need to implement Access Control Lists (ACLs) on the assets.
Whenever anyone attempts to modify the asset, you can check whether Thread.CurrentPrincipal is allowed to modify that particular asset according to its ACL.
Related answers:
Upvotes: 1
Related Questions
- WCF ServiceHost access rights
- How do I use my own permissions in WCF?
- WCF service login and operation permissions
- How do I set permissions for a WCF Windows Service?
- WCF PrincipalPermission with roles, configuring for sub-methods
- WCF Security Question
- How to tie ASP.NET permissions to WCF service
- WCF Security - Client Authorization
- WCF security problem
- WPF to WCF Permission issue