stackoom
  简体   繁体   中英

Role-based authentification for the WCF REST service

 原文  2014-05-16 03:27:56       c#/ asp.net/ wcf/ rest

Question

I am trying to implement role-based authentification to the REST WCF service . I read a lot of information on this theme but didn't got a clear understanding of what I have to do. I understand how to restrict an access to the service using the [PrincipalPermission] attribute but don't know how to check whether the user belong to the certain role or not. Therefore I will be very grateful if somebody can direct me to the right way (eg make a roadmap what should I do to achive this goal).

Let me describe this situation. I have a remote services which hosted on the server A and ASP.Net MVC client hosted on the server B. All of these rest services has an access to the database where I can read an information whether the user has access to the service or not.

1 answers

solution1
 0  2014-05-19 08:05:14

OK, Tequila, IMO what you really want, based on your description, is a normal, REST WCF service with a Login(ID as string, PWD as string) method that (perhaps) returns a SessionID. This Login() or SessionID() check method would then preceed access to all of your other methods. And since it's a webHTTPBinding -- effectively a stateless web service -- you'll need to check the SessionID or ID/Password before each request is processed.

So the workflow would be something like this: 

1) client sends Login() request to host
2) host checks ID/Password against DB, creates SessionID in DB that times out after x hours, forcing new Login(). SessionID is returned in response to client,.
3) In all subsequent requests, client must provide that SessionID. That SessionID would be checked on the DB, returning stored information about the client (Role, name, ID, address ... whatever is useful) before the remainder of the request is processed.

There are methods for authenticating users BEFORE the request gets to your working code (like client authentication using Forms or client certificates (see http://msdn.microsoft.com/en-us/library/ff405740.aspx )). This shifts the Login() / SessionID check to a method executed BEFORE the request hits your main program, but the steps are basically the same.

And since passing ID/Pwd in clear text over the web is a no-no, you'd want to implement SSL on your web service (see http://msdn.microsoft.com/en-us/library/ff650785.aspx )

Everything I've describe is basically platform independent, so if you'll have iOS or Android clients, there's nothing in what I've described that would prohibit those OSs from successfully interacting with your web service.

Good luck.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to implement role-based authorization in WPF application calling database through WCF services? Identity Role-based Authorization is not working C# Role-based security Role-Based Access Control to a User Role-based basic authentication failing Securing REST-based WCF Service Management/Documentation of Role-Based Authorization in MVC3 ASP.NET Identity “Role-based” Claims Implementing web service with WCF 4.0 with authentification Defining role-based default routing in .NET MVC
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM