CODEWITHSUNDEEP
c#wcfsecurityforms-authentication
Mickel
Mickel

Reputation: 6696

WebService authentication via default MembershipProvider

What is the best practice when you need to authenticate specific OperationContracts, while using the default MembershipProvider for security (FormsAuthentication).

I guess that doing Membership.ValidateUser and Membership.GetUser just won't cut it when using WebServices, right?

In other words: How can I verify that a user is allowed to use specific methods in the webservice (that the user is authenticated/"logged on")?

Upvotes: 3

Views: 1454

Answers (2)

Bennett Dill
Bennett Dill

Reputation: 2915

I have been known to over-engineer things, so when I use WCF in my web applications, I wrap the service in my web app. This way my web app calls the abstraction.

Now, what you can do is apply your code access security (CAS) on the wrapper.

Example code might look like this (tons of details omitted for brevity)

internal class ServiceWrapper
{
    Service Svc;
    public ServiceWrapper()
    {
        Svc = ServiceClient();
    }

    [System.Security.Permissions.PrincipalPermission(System.Security.Permissions.SecurityAction.Demand, Role = "HelloWorld")]
    public string HelloWorld()
    {
        return Svc.HelloWorld();
    }
}

In a perfect world, we would want CAS to be a bit more dry (don't repeat yourself), meaning handled in the WCF as you suggest. But this might be a good middle of the road if know you can lock down your WCF app and control who calls it :-)

That would help you simplify getting the ball rolling...

Good luck!

Upvotes: 1

sblom
sblom

Reputation: 27343

Yeah--you can't really use FormsAuthentication in this case. But there is excellent infrastructure available in WCF for managing role-based access to individual methods: http://msdn.microsoft.com/en-us/magazine/cc948343.aspx

Upvotes: 3

Related Questions