CODEWITHSUNDEEP
wcfsecurityasp.net-membershipwcf-security
Slauma
Slauma

Reputation: 177163

WCF authentication with ASP.NET membership, role and profile

I have a WCF service which is hosted in IIS 7.0/7.5 inside of a ASP.NET MVC web application (by using an .svc file with ServiceHost directive). The security settings in my configuration are looking like this:

<services>
  <service name="MyServiceLib.MyService">
    <endpoint address="" binding="wsHttpBinding" 
              bindingConfiguration="wsHttpBindingConfig"
              contract="MyServiceLib.IMyService" />
  </service>
</services>

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpBindingConfig">
      <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="None" />
        <message clientCredentialType="UserName" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

<behaviors>
  <serviceBehaviors>
    <behavior>
      <serviceCredentials>
        <userNameAuthentication
            userNamePasswordValidationMode="MembershipProvider"
            membershipProviderName="AspNetSqlMembershipProvider"/>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

As you can see I'm using SSL for transport security and then authenticate with user name and password against the ASP.NET membership provider. This works fine so far.

But I want to restrict access to this service to not only authenticated users but to users who are in a specific role and who have a specific value set in their profile. (I'm using the SqlProfileProvider in the web app and every user has a profile with specific values assigned.)

Is it possible to achieve this via configuration settings? If not, can I create some kind of custom authentication on the service side which would allow me to retrieve user and password from the incoming message and then check membership and role and pull out the profile from the profile store? How can I do this?

Upvotes: 1

Views: 2941

Answers (2)

TheNextman
TheNextman

Reputation: 12566

Well, you can restrict access to methods in your service by decorating them with the 'PrincipalPermissionAttribute'

[PrincipalPermission(SecurityAction.Demand, Role = "User")] public void MyMethod() { ...

You need to configure the service to use role provider:

<serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="SqlRoleProvider" />

But that will only help with roles. I don't think there is anything out of the box that will help with checking for a value in the user profile: you may consider doing that manually inside the method body.

Upvotes: 1

Brad Christie
Brad Christie

Reputation: 101614

How about Enable WCF Role Service?

Otherwise, you can implement your own authentication method. You tell WCF that we want to validate a user on our own (performing your own check-sum/validation method(s))

Upvotes: 1

Related Questions