Reputation: 1265
Are WCF Data Services (Astoria) a good choice for a Line of Business application?
One of our architects is building a new reference architecture for the next generation of one of our company's applications. The prototype is an ASP.NET MVC 2 web app that sits on top of WCF Data Services (Astoria) and uses EntityFramework 4 for data access and object mapping.
The prototype application manages roles of users, so the services do things like creating/updating/deleting users, adding application access/abilities/roles to users, etc. So from a security standpoint, no one should be able to hit a data service outside of the application and have any of those actions take place.
I originally thought that WCF Data Services were meant for OData implementations and "open" services on the web, and that line of business apps should still use traditional WCF services for their adaptability, security, and other features. Am I way off base here? Are WCF Data Services a good choice to call from MVC controllers? Can they handle things like authentication and security as easily as traditional WCF services?
Upvotes: 2
Views: 389
Answers (2)
Reputation: 21
OData is a protocol for accessing data, not for securing data. There is no standard solution to limit access to certain parts of the data only to specifc roles or accounts, like in every ordinary SQL database. Most security measures are based on 'everything is visible and all operations are allowed unless you specify otherwise for specific cases' instead of 'secure by default'.
This is a great hurdle when you want to use OData to access company data from within line of business applications. If you plan to use Ajax calls your OData has to be visible from the internet and thus becomes vulnerable to all kinds of attacks. OData seems to be a great protocol for public data already available on the internet, but as far as I know currently no OData provider implements role based permissions out of the box.
It is possible to extend a standard WCF Data Service with this kind of permissions, but that comes with a price. I know from experience that security can not be added afterwards, it has to be an integral part of any application framework and data storage facility. You may hope for the best, but you always need to plan for the worst, and it won't be long before someone is looking on the internet for unsecured OData sources containing sensitive data of individuals and companies.
Upvotes: 1
Reputation: 24754
Update:
The new question is basically "Can WCF Data Services restrict access?", Yes.
These questions are hard to answer because you haven't posted your requirements, SLAs, or security needs. WCF Data Services are fine for my LoB but may no be for yours depending on all sorts of details you haven't posted.
Two Thoughts:
1) WCF Data Services are REST only and don't have the same security of options as a hand rolled WCF Service. Do you have to lock everything down like the Kremlin? WCF Data Services may not be your cup of tea.
2) WCF Data Services are perfect for for read-only, "SELECT TOP 50 * FROM PRODUCT" type service methods. Normally you'd have to write a couple of WCF Service methods for each entity type of your app. By leveraging WCF Data Services on top of a normal WCF service you can save yourself a lot of time writing the same read methods over and over again.
Upvotes: 1
Related Questions
- Is there a reason to use WCF over asp.net MVC?
- WCF Data Service or just WCF Service?
- WCF Service Application VS ASP.NET Web Application?
- Are "WCF Data Services" going in the right direction?
- Should we use a WCF service as our service layer facade in nTier application
- Wcf, ASP.NET MVC combination? Do I really need it?
- Is WCF ready for real world?
- WCF: Web Service or not?
- Any advantages from using WCF Data Services in ASP.NET web applications?
- WCF Data Service (ADO.Net Data Service or Astoria Service)