MSDN Magazine - October 2008 - (Page 65)

DOmInICk BAIer AnD ChrIStIAn Weyer Service Station Authorization In WCF-Based Services Once you start adopting service-oriented principles for your distributed applications, the security challenges become slightly different. You suddenly realize that you are crossing a security boundary for every service call you make. Typically—though not necessarily—there will be a network between the sender and the recipient of a service call. While authentication is usually handled automatically by the communication framework, you still have to come up with your own authorization strategy and infrastructure. Windows Communication Foundation (WCF) provides powerful facilities for implementing authorization in services. You have the choice between an easy-to-use, role-based system as well as a more powerful, but more complex, claims-based API. The remainder of this article will compare both systems and show how to use them to implement robust service authorization. Figure 1 Role Check with Error Handling Service class Service : IService { // only 'users' role member can call this method [PrincipalPermission(SecurityAction.Demand, Role = 'users')] public string[] GetRoles(string username) { // only administrators can retrieve the role information for other users if (ServiceSecurityContext.Current.PrimaryIdentity.Name != username) { if (Thread.CurrentPrincipal.IsInRole('administrators')) { } else { // access denied throw new SecurityException(); } } } } Client var factory = new ChannelFactory ('*'); factory.Credentials.UserName.UserName = 'bob'; factory.Credentials.UserName.Password = 'bob'; var proxy = factory.CreateChannel(); try { Console.WriteLine('\nBob: roles for Bob --'); proxy.GetRoles('bob').ToList().ForEach(i => Console.WriteLine(i)); Console.WriteLine('\nBob: roles for Alice --'); proxy.GetRoles('alice').ToList().ForEach(i => Console.WriteLine(i)); Role-Based Authorization The idea behind role-based authorization is that you associate a list of roles with a user. At run time, the service code queries the list to make security-related decisions. These roles can come from the Windows security system (where they are called groups) or from some custom store, such as a database. The roles API in the Microsoft .NET Framework is based on two interfaces called IIdentity (identity information) and IPrincipal (role information). An IIdentity-derived class holds information such as the name of the user, whether he is authenticated, and how he was authenticated. An IPrincipal-derived class must implement a single method called IsInRole where you can pass in a role name and get a Boolean response. In addition, the principal has a reference to the identity class it wraps. The .NET Framework ships with several implementations of theses interfaces. WindowsIdentity and WindowsPrincipal wrap details about a Windows user. GenericIdentity and GenericPrincipal can be used to represent a custom, authenticated user. There is also a location where you can store a principal to associate it with the currently executing thread in your application (for example, a WCF operation request). This is the CurrentPrincipal thread static property on the System.Threading.Thread class. The typical course of events is that one part of an application populates Thread.CurrentPrincipal so that another part of the application can reach into this property to grab the IPrincipal implementation } catch (SecurityAccessDeniedException) { Console.WriteLine('Access Denied\n'); } stored there. Then the IsInRole method can be called on that class to query the role list of the current user to ensure that the caller is authorized for the operation. This is exactly how it works in WCF. Based on the configured authentication and credential type, WCF creates a corresponding IIdentity implementation—a WindowsIdentity for Windows authentication, a GenericIdentity for most other cases. Then, based on the configuration of the WCF service behavior, ServiceAuthorization, an IPrincipal implementation is created that wraps this identity and provides role information. This IPrincipal is then set on Thread.CurrentPrincipal so that it is accessible to the service operations. Send your questions and comments to sstation@microsoft.com. Code download available at msdn.microsoft.com/magazine/cc135911. October 2008 65 http://msdn.microsoft.com/magazine/cc135911 Table of Contents for the Digital Edition of MSDN Magazine - October 2008MSDN Magazine - October 2008ContentsToolboxCLR Inside OutBasic InstinctsCutting EdgePatterns In PracticeService StationParadigm ShiftCoding ToolsConcurrency HazardsAsp.net AJAX 4.0Easy AsyncFoundationsWindows With C++Going Places.NET Matters{ End Bracket }MSDN Magazine - October 2008MSDN Magazine - October 2008 - (Page Intro)MSDN Magazine - October 2008 - Contents (Page Cover1)MSDN Magazine - October 2008 - Contents (Page Cover2)MSDN Magazine - October 2008 - Contents (Page 1)MSDN Magazine - October 2008 - Contents (Page 2)MSDN Magazine - October 2008 - Contents (Page 3)MSDN Magazine - October 2008 - Contents (Page 4)MSDN Magazine - October 2008 - Contents (Page 5)MSDN Magazine - October 2008 - Contents (Page 6)MSDN Magazine - October 2008 - Contents (Page 7)MSDN Magazine - October 2008 - Contents (Page 8)MSDN Magazine - October 2008 - Contents (Page 9)MSDN Magazine - October 2008 - Contents (Page 10)MSDN Magazine - October 2008 - Toolbox (Page 11)MSDN Magazine - October 2008 - Toolbox (Page 12)MSDN Magazine - October 2008 - Toolbox (Page 13)MSDN Magazine - October 2008 - Toolbox (Page 14)MSDN Magazine - October 2008 - Toolbox (Page 15)MSDN Magazine - October 2008 - Toolbox (Page 16)MSDN Magazine - October 2008 - CLR Inside Out (Page 17)MSDN Magazine - October 2008 - CLR Inside Out (Page 18)MSDN Magazine - October 2008 - CLR Inside Out (Page 19)MSDN Magazine - October 2008 - CLR Inside Out (Page 20)MSDN Magazine - October 2008 - CLR Inside Out (Page 21)MSDN Magazine - October 2008 - CLR Inside Out (Page 22)MSDN Magazine - October 2008 - Basic Instincts (Page 23)MSDN Magazine - October 2008 - Basic Instincts (Page 24)MSDN Magazine - October 2008 - Basic Instincts (Page 25)MSDN Magazine - October 2008 - Basic Instincts (Page 26)MSDN Magazine - October 2008 - Basic Instincts (Page 27)MSDN Magazine - October 2008 - Basic Instincts (Page 28)MSDN Magazine - October 2008 - Basic Instincts (Page 29)MSDN Magazine - October 2008 - Basic Instincts (Page 30)MSDN Magazine - October 2008 - Basic Instincts (Page 31)MSDN Magazine - October 2008 - Basic Instincts (Page 32)MSDN Magazine - October 2008 - Cutting Edge (Page 33)MSDN Magazine - October 2008 - Cutting Edge (Page 34)MSDN Magazine - October 2008 - Cutting Edge (Page 35)MSDN Magazine - October 2008 - Cutting Edge (Page 36)MSDN Magazine - October 2008 - Cutting Edge (Page 37)MSDN Magazine - October 2008 - Cutting Edge (Page 38)MSDN Magazine - October 2008 - Cutting Edge (Page 39)MSDN Magazine - October 2008 - Cutting Edge (Page 40)MSDN Magazine - October 2008 - Cutting Edge (Page 41)MSDN Magazine - October 2008 - Cutting Edge (Page 42)MSDN Magazine - October 2008 - Patterns In Practice (Page 43)MSDN Magazine - October 2008 - Patterns In Practice (Page 44)MSDN Magazine - October 2008 - Patterns In Practice (Page 45)MSDN Magazine - October 2008 - Patterns In Practice (Page 46)MSDN Magazine - October 2008 - Patterns In Practice (Page 47)MSDN Magazine - October 2008 - Patterns In Practice (Page 48)MSDN Magazine - October 2008 - Patterns In Practice (Page 49)MSDN Magazine - October 2008 - Patterns In Practice (Page 50)MSDN Magazine - October 2008 - Patterns In Practice (Page 51)MSDN Magazine - October 2008 - Patterns In Practice (Page 52)MSDN Magazine - October 2008 - Patterns In Practice (Page 53)MSDN Magazine - October 2008 - Patterns In Practice (Page 54)MSDN Magazine - October 2008 - Patterns In Practice (Page 55)MSDN Magazine - October 2008 - Patterns In Practice (Page 56)MSDN Magazine - October 2008 - Patterns In Practice (Page 57)MSDN Magazine - October 2008 - Patterns In Practice (Page 58)MSDN Magazine - October 2008 - Patterns In Practice (Page 59)MSDN Magazine - October 2008 - Patterns In Practice (Page 60)MSDN Magazine - October 2008 - Patterns In Practice (Page 61)MSDN Magazine - October 2008 - Patterns In Practice (Page 62)MSDN Magazine - October 2008 - Patterns In Practice (Page 63)MSDN Magazine - October 2008 - Patterns In Practice (Page 64)MSDN Magazine - October 2008 - Service Station (Page 65)MSDN Magazine - October 2008 - Service Station (Page 66)MSDN Magazine - October 2008 - Service Station (Page 67)MSDN Magazine - October 2008 - Service Station (Page 68)MSDN Magazine - October 2008 - Service Station (Page 69)MSDN Magazine - October 2008 - Service Station (Page 70)MSDN Magazine - October 2008 - Service Station (Page 71)MSDN Magazine - October 2008 - Service Station (Page 72)MSDN Magazine - October 2008 - Service Station (Page 73)MSDN Magazine - October 2008 - Paradigm Shift (Page 74)MSDN Magazine - October 2008 - Paradigm Shift (Page 75)MSDN Magazine - October 2008 - Paradigm Shift (Page 76)MSDN Magazine - October 2008 - Paradigm Shift (Page 77)MSDN Magazine - October 2008 - Paradigm Shift (Page 78)MSDN Magazine - October 2008 - Paradigm Shift (Page 79)MSDN Magazine - October 2008 - Paradigm Shift (Page 80)MSDN Magazine - October 2008 - Paradigm Shift (Page 81)MSDN Magazine - October 2008 - Paradigm Shift (Page 82)MSDN Magazine - October 2008 - Paradigm Shift (Page 83)MSDN Magazine - October 2008 - Paradigm Shift (Page 84)MSDN Magazine - October 2008 - Paradigm Shift (Page 85)MSDN Magazine - October 2008 - Coding Tools (Page 86)MSDN Magazine - October 2008 - Coding Tools (Page 87)MSDN Magazine - October 2008 - Coding Tools (Page 88)MSDN Magazine - October 2008 - Coding Tools (Page 89)MSDN Magazine - October 2008 - Coding Tools (Page 90)MSDN Magazine - October 2008 - Coding Tools (Page 91)MSDN Magazine - October 2008 - Coding Tools (Page 92)MSDN Magazine - October 2008 - Coding Tools (Page 93)MSDN Magazine - October 2008 - Coding Tools (Page 94)MSDN Magazine - October 2008 - Coding Tools (Page 95)MSDN Magazine - October 2008 - Coding Tools (Page 96)MSDN Magazine - October 2008 - Coding Tools (Page 97)MSDN Magazine - October 2008 - Coding Tools (Page 98)MSDN Magazine - October 2008 - Coding Tools (Page 99)MSDN Magazine - October 2008 - Coding Tools (Page 100)MSDN Magazine - October 2008 - Coding Tools (Page 101)MSDN Magazine - October 2008 - Coding Tools (Page 102)MSDN Magazine - October 2008 - Coding Tools (Page 103)MSDN Magazine - October 2008 - Concurrency Hazards (Page 104)MSDN Magazine - October 2008 - Concurrency Hazards (Page 105)MSDN Magazine - October 2008 - Concurrency Hazards (Page 106)MSDN Magazine - October 2008 - Concurrency Hazards (Page 107)MSDN Magazine - October 2008 - Concurrency Hazards (Page 108)MSDN Magazine - October 2008 - Concurrency Hazards (Page 109)MSDN Magazine - October 2008 - Concurrency Hazards (Page 110)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 111)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 112)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 113)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 114)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 115)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 116)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 117)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 118)MSDN Magazine - October 2008 - Easy Async (Page 119)MSDN Magazine - October 2008 - Easy Async (Page 120)MSDN Magazine - October 2008 - Easy Async (Page 121)MSDN Magazine - October 2008 - Easy Async (Page 122)MSDN Magazine - October 2008 - Easy Async (Page 123)MSDN Magazine - October 2008 - Easy Async (Page 124)MSDN Magazine - October 2008 - Easy Async (Page 125)MSDN Magazine - October 2008 - Easy Async (Page 126)MSDN Magazine - October 2008 - Easy Async (Page 127)MSDN Magazine - October 2008 - Easy Async (Page 128)MSDN Magazine - October 2008 - Foundations (Page 129)MSDN Magazine - October 2008 - Foundations (Page 130)MSDN Magazine - October 2008 - Foundations (Page 131)MSDN Magazine - October 2008 - Foundations (Page 132)MSDN Magazine - October 2008 - Foundations (Page 133)MSDN Magazine - October 2008 - Foundations (Page 134)MSDN Magazine - October 2008 - Foundations (Page 135)MSDN Magazine - October 2008 - Foundations (Page 136)MSDN Magazine - October 2008 - Foundations (Page 137)MSDN Magazine - October 2008 - Foundations (Page 138)MSDN Magazine - October 2008 - Windows With C++ (Page 139)MSDN Magazine - October 2008 - Windows With C++ (Page 140)MSDN Magazine - October 2008 - Windows With C++ (Page 141)MSDN Magazine - October 2008 - Windows With C++ (Page 142)MSDN Magazine - October 2008 - Windows With C++ (Page 143)MSDN Magazine - October 2008 - Windows With C++ (Page 144)MSDN Magazine - October 2008 - Going Places (Page 145)MSDN Magazine - October 2008 - Going Places (Page 146)MSDN Magazine - October 2008 - Going Places (Page 147)MSDN Magazine - October 2008 - Going Places (Page 148)MSDN Magazine - October 2008 - Going Places (Page 149)MSDN Magazine - October 2008 - Going Places (Page 150)MSDN Magazine - October 2008 - Going Places (Page 151)MSDN Magazine - October 2008 - Going Places (Page 152)MSDN Magazine - October 2008 - .NET Matters (Page 153)MSDN Magazine - October 2008 - .NET Matters (Page 154)MSDN Magazine - October 2008 - .NET Matters (Page 155)MSDN Magazine - October 2008 - .NET Matters (Page 156)MSDN Magazine - October 2008 - .NET Matters (Page 157)MSDN Magazine - October 2008 - .NET Matters (Page 158)MSDN Magazine - October 2008 - .NET Matters (Page 159)MSDN Magazine - October 2008 - { End Bracket } (Page 160)MSDN Magazine - October 2008 - { End Bracket } (Page Cover3)MSDN Magazine - October 2008 - { End Bracket } (Page Cover4)http://www.nxtbook.com/nxtbooks/cmp/msdnmag1109http://www.nxtbook.com/nxtbooks/cmp/msdnmag1009http://www.nxtbook.com/nxtbooks/cmp/msdnmag0909http://www.nxtbook.com/nxtbooks/cmp/msdnmag0809http://www.nxtbook.com/nxtbooks/cmp/msdnmag0709http://www.nxtbook.com/nxtbooks/cmp/msdnmag0609http://www.nxtbook.com/nxtbooks/cmp/msdnmag0509http://www.nxtbook.com/nxtbooks/cmp/msdnmag0409http://www.nxtbook.com/nxtbooks/cmp/msdnmag0309http://www.nxtbook.com/nxtbooks/cmp/msdnmag0209http://www.nxtbook.com/nxtbooks/cmp/msdnmag0109http://www.nxtbook.com/nxtbooks/cmp/msdnmag1208http://www.nxtbook.com/nxtbooks/cmp/msdnmag1108http://www.nxtbook.com/nxtbooks/cmp/msdnmag1008http://www.nxtbook.com/nxtbooks/cmp/msdnmag0908http://www.nxtbook.com/nxtbooks/cmp/msdnmag0808http://www.nxtbook.com/nxtbooks/cmp/msdnmag0708http://www.nxtbook.com/nxtbooks/cmp/msdnmag0608http://www.nxtbook.com/nxtbooks/cmp/msdnmag0408http://www.nxtbook.com/nxtbooks/cmp/msdnmag0308http://www.nxtbook.com/nxtbooks/cmp/msdnmag-launch021508http://www.nxtbook.com/nxtbooks/cmp/msdnmag0208http://www.nxtbook.com/nxtbooks/cmp/msdnmag0108http://www.nxtbook.com/nxtbooks/cmp/msdnmag1207http://www.nxtbookMEDIA.com

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.