Reputation: 30636
User Authorization in WCF with BasicHttpBinding with TransportWithMessageCredential
I currently have a service which is secured by TransportWithMessageCredential over https. This works great! I now need to add a bit of granularity to some operations on this service.
Lets say I have this method public IEnumerable<Project> GetProjects() now I need to add an additional method which will limit the projection to projects which the current user has access.
Is using code like this:
var uid = System
.ServiceModel
.OperationContext
.Current
.IncomingMessageProperties
.Security
.ServiceSecurityContext
.PrimaryIdentity;
var returnProjects = context.Projects.Where(p => p.ProjectManager.Equals(uid.Name));
going to leave me vulnerable to any type of attack?
I think this should be fine, since WCF will hit my custom UserNamePasswordValidator first and "authenticate" the user, then the code I have above will "authorize" them to get only their projects. Is there a flaw in my thinking here?
Upvotes: 2
Views: 496
Answers (1)
Reputation: 44921
No, that is perfectly valid thinking. This is exactly the way that we implement user-specific security (with the minor exception that we use FormsAuthentication for identifying the user).
Before each request is processed, we always check the user and if there is anything suspicious about the request, we throw an exception.
Upvotes: 2
Related Questions
- httpBasicBinding with authentication and no message or transport security
- BasicHttpBinding with TransportWithMessageCredential and clientCredentialType="Windows"
- WCF Authentication
- WCF Security - Transport Level Security with username password
- Basic authentication and WCF
- WCF Direct Authentication using BasicHttpBinding
- wcf Username and password security with basichttpBinding--Message Based
- TransportWithMessageCredential and wcf 3.5 and hosted in IIS
- Authentication with basicHttpBinding
- Send Authenticated User To WCF Application