1

I have a WCF service which is hosted in IIS 7.0/7.5 inside of a ASP.NET MVC web application (by using an .svc file with ServiceHost directive). The security settings in my configuration are looking like this:

<services>
  <service name="MyServiceLib.MyService">
    <endpoint address="" binding="wsHttpBinding" 
              bindingConfiguration="wsHttpBindingConfig"
              contract="MyServiceLib.IMyService" />
  </service>
</services>

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpBindingConfig">
      <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="None" />
        <message clientCredentialType="UserName" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

<behaviors>
  <serviceBehaviors>
    <behavior>
      <serviceCredentials>
        <userNameAuthentication
            userNamePasswordValidationMode="MembershipProvider"
            membershipProviderName="AspNetSqlMembershipProvider"/>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

As you can see I'm using SSL for transport security and then authenticate with user name and password against the ASP.NET membership provider. This works fine so far.

But I want to restrict access to this service to not only authenticated users but to users who are in a specific role and who have a specific value set in their profile. (I'm using the SqlProfileProvider in the web app and every user has a profile with specific values assigned.)

Is it possible to achieve this via configuration settings? If not, can I create some kind of custom authentication on the service side which would allow me to retrieve user and password from the incoming message and then check membership and role and pull out the profile from the profile store? How can I do this?

Slauma
  • 175,098
  • 59
  • 401
  • 420

2 Answers2

1

How about Enable WCF Role Service?

Otherwise, you can implement your own authentication method. You tell WCF that we want to validate a user on our own (performing your own check-sum/validation method(s))

Brad Christie
  • 100,477
  • 16
  • 156
  • 200
  • Hm, I'm not sure if this Role Service will help. Description says: *"This topic shows how to configure the ASP.NET role service on a Web server to make it available to clients that use the Windows Communication Foundation (WCF)."* But I don't want to make roles available to clients and I also can't ensure that the clients use WCF. I just want to check if the incoming user name is in a specific role, purely on server side. – Slauma Jun 22 '11 at 15:21
  • @Slauma: How about enabling [aspNetCompatibilityMode](http://blogs.msdn.com/b/wenlong/archive/2006/01/23/516041.aspx)? – Brad Christie Jun 22 '11 at 15:28
  • I think, WCF role service has simply another purpose - with or without `aspNetCompatibilityMode` - than I need. But the custom validation was actually easy to implement and works fine. Thanks for this tip! – Slauma Jun 22 '11 at 21:34
1

Well, you can restrict access to methods in your service by decorating them with the 'PrincipalPermissionAttribute'

[PrincipalPermission(SecurityAction.Demand, Role = "User")] public void MyMethod() { ...

You need to configure the service to use role provider:

<serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="SqlRoleProvider" />

But that will only help with roles. I don't think there is anything out of the box that will help with checking for a value in the user profile: you may consider doing that manually inside the method body.

TheNextman
  • 12,428
  • 2
  • 36
  • 75
  • I tried that but I get always an exception: *"Request for principal permission failed."* - no matter if the user is in the role I specified or not. Does this perhaps only work with user groups in Windows authentication, and not for ASP.NET roles? – Slauma Jun 22 '11 at 15:46
  • 1
    You need to configure the service to use role provider: – TheNextman Jun 22 '11 at 17:26
  • Thanks for this tip! I have used now the custom validation (because I need access to profiles anyway). You could edit your last comment into your answer (in case anyone else finds this here) since it's an important information to get your solution working with ASP role provider. – Slauma Jun 22 '11 at 21:38