WCF Service Authentication/Authorization question

ben_ng

Member
Joined
Sep 13, 2007
Messages
18
Location
Singapore
Programming Experience
1-3
Hi,
I am new to WCF and here's my scenario.
My web page will be hosted in a web server and there will be an app server which my web page will call the WCF services. I will be using forms authentication for authenticating users and roles with be custom roles populated in the sql server, not the built-in aspnet tables. To add to the difficulty,I am using the Web Client Software Factory in my development.
Here's my question. I am worried that unauthorised users(logged in but still unauthorised) will try to call my WCF service directly if they know the url for the service. I am unable to use System.Threading.Thread.CurrentPrincipal.Identity.Name
to pass in their identity to the service as it spans across different servers.
Is there a way for me to authenticate by passing their credentials to the WCF service, so that I can do further authorization check from there?I understand I can do something like this :
VB.NET:
Dim pxy As New MyFirstSecuredWCFServiceProxy
pxy.ChannelFactory.Credentials.UserNamePassword.UserName = "Softwaremaker"
pxy.ChannelFactory.Credentials.UserNamePassword.Password = "SomePassword"
to pass the username to my WCF service for authorization checking. But how do I grab the username from my WCF service?
Sorry if my question sounds stupid as I am very new to WCF.
Thanks for any help given!
 
Information about authenticated caller of WCF can be checked by using ServiceSecurityContext, e.g. ServiceSecurityContext.Current.PrimaryIdentity.Name.

If you implement IIdentity of your custom type, you can use PrincipalPermission to check the caller's role declaratively or imperatively.
 
Information about authenticated caller of WCF can be checked by using ServiceSecurityContext, e.g. ServiceSecurityContext.Current.PrimaryIdentity.Name.

If you implement IIdentity of your custom type, you can use PrincipalPermission to check the caller's role declaratively or imperatively.

Hi,
thanks for the tip. Does this command work across servers? I will be passing the credentials from the web server to the app server.
Thanks
 
As far as I know, when Windows credentials are used, you can configure to impersonate caller's identity in server so that the request thread operate under the impersonated Windows token. However, it may not be possible for other credentials (I may be wrong).
 
Back
Top