WCF authorization from website client

2018-06-07 06:12:03

I am having ASP.NET application with users (based on ASP.NET Identity 2). Each user can post data to WCF service (ASP controller backend). In system is quota, also roles and others. I would like to have limited access to WCF per user. I mean "basic" user can't do things what administrator can if "user" tries to create own application and connect to service.

Basicly its about authorization. What I don't know is what is best practice. Should I send to WCF in header username and some token or on website do security checks and make WCF communication available just for one specific application by certificate or something else that guarantee to accept just that specific website app?

If not any described practice is good then how it should be?

Thanks for sharing your knowledge :)

1- On MVC side, authorization is done with [Authorize] attribute. This attribute validates that .ASPX auth cookie is created and valid.

2- On WCF, you must decorate your methods with [PrincipalPermission(SecurityAction.Demand, Role = "Admin")] where "Admin" is the MVC web app pool identity. This way you make sure this operation can be called only from the administration portal. The same applies to customers portal for instance.

3- For more granular security, you can send the username from MVC to WCF by setting the CallContext (WCF one). CallContext.Set("username",value) and read it from WCF with interceptors.

链接地址: http://www.djcxy.com/p/22266.html

上一篇: 使用OAuth保护我的REST API，同时仍允许通过第三方OAuth提供者进行身份验证（使用DotNetOpenAuth）

下一篇: 来自网站客户端的WCF授权