Reputation: 1035
WCF authorization from website client
I am having ASP.NET application with users (based on ASP.NET Identity 2). Each user can post data to WCF service (ASP controller backend). In system is quota, also roles and others. I would like to have limited access to WCF per user. I mean "basic" user can't do things what administrator can if "user" tries to create own application and connect to service.
Basicly its about authorization. What I don't know is what is best practice. Should I send to WCF in header username and some token or on website do security checks and make WCF communication available just for one specific application by certificate or something else that guarantee to accept just that specific website app?
If not any described practice is good then how it should be?
Thanks for sharing your knowledge :)
Upvotes: 0
Views: 207
Answers (1)
Reputation: 908
1- On MVC side, authorization is done with [Authorize] attribute. This attribute validates that .ASPX auth cookie is created and valid.
2- On WCF, you must decorate your methods with [PrincipalPermission(SecurityAction.Demand, Role = "Admin")] where "Admin" is the MVC web app pool identity. This way you make sure this operation can be called only from the administration portal. The same applies to customers portal for instance.
3- For more granular security, you can send the username from MVC to WCF by setting the CallContext (WCF one). CallContext.Set("username",value) and read it from WCF with interceptors.
Upvotes: 1
Related Questions
- WCF and Authentication
- WCF security authentication
- WCF - client security with web control in CMS
- WCF in IIS: basic authorization performed by WCF
- ASP.NET with WCF Windows Authentication
- WCF authorization
- Authentication Service using WCF
- WCF authentication
- WCF/ASP.NET Authentication
- WCF Security - Client Authorization