WCF authentication with ASP.NET membership, role and profile_问答_开发者

WCF authentication with ASP.NET membership, role and profile

开发者 https://www.devze.com 2023-03-14 13:10 出处：网络

I have a WCF service which is hosted in IIS 7.0/7.5 inside of a ASP.NET MVC web application (by using an .svc file with ServiceHost directive). The security settings in my configuration are looking li

I have a WCF service which is hosted in IIS 7.0/7.5 inside of a ASP.NET MVC web application (by using an .svc file with ServiceHost directive). The security settings in my configuration are looking like this:

<services>
  <service name="MyServiceLib.MyService">
    <endpoint address="" binding="wsHttpBinding" 
              bindingConfiguration="wsHttpBindingConfig"
              contract="MyServiceLib.IMyService" />
  </service>
</services>

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpBindingConfig">
      <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="None" />
        <message clientCredentialType="UserName" />
     开发者_JS百科 </security>
    </binding>
  </wsHttpBinding>
</bindings>

<behaviors>
  <serviceBehaviors>
    <behavior>
      <serviceCredentials>
        <userNameAuthentication
            userNamePasswordValidationMode="MembershipProvider"
            membershipProviderName="AspNetSqlMembershipProvider"/>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

As you can see I'm using SSL for transport security and then authenticate with user name and password against the ASP.NET membership provider. This works fine so far.

But I want to restrict access to this service to not only authenticated users but to users who are in a specific role and who have a specific value set in their profile. (I'm using the SqlProfileProvider in the web app and every user has a profile with specific values assigned.)

Is it possible to achieve this via configuration settings? If not, can I create some kind of custom authentication on the service side which would allow me to retrieve user and password from the incoming message and then check membership and role and pull out the profile from the profile store? How can I do this?

How about Enable WCF Role Service?

Otherwise, you can implement your own authentication method. You tell WCF that we want to validate a user on our own (performing your own check-sum/validation method(s))

Well, you can restrict access to methods in your service by decorating them with the 'PrincipalPermissionAttribute'

[PrincipalPermission(SecurityAction.Demand, Role = "User")] public void MyMethod() { ...

You need to configure the service to use role provider:

<serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="SqlRoleProvider" />

But that will only help with roles. I don't think there is anything out of the box that will help with checking for a value in the user profile: you may consider doing that manually inside the method body.