Checking clients and the methods they are allowed to access outside of the method?

Question

Here's a link to my previous related question.

 --------------
| ServiceA.svc | ------------> Test Client 1
|  -GetData()  | ------------> Test Client 2
|  -SaveData() |
 --------------

So far, so good. By checking ServiceSecurityContext.Current.PrimaryIdentity.Name in my GetData() and SaveData() methods, I am able to distinguish and allow/deny clients.
While this does the job, I think it would be more efficient if the method isn't called at all and have the client checking outside of the method.

Any suggestions on the most efficient way to do this?
^{_{I was thinking something akin to 'Hey! This GetData() method is only for Client 1. You're Client 2! Why are you trying to access this?! Get out!!!'}}

score 1 · Accepted Answer · answered Apr 19 '12 at 22:03

1

The way you are doing it now is correct.

If you move then checking of which services a user can call to the client, you leave the services open to attack from a client that is not built by you.

If you grouped methods with the same access restrictions into their own services, you could set the access at the service level using wcf configuration.

answered Apr 19 '12 at 22:03

Shiraz Bhaiji

64,065
34
143
252

Thanks for your input! I guess I'll have to stick with what I have for now since we're pretty much dead set on not splitting up the service at this time. – kei Apr 19 '12 at 22:40

Checking clients and the methods they are allowed to access outside of the method?

1 Answers1