WCF Security: How restrict an endpoint to only response to a given windows user or group?

Hi Max,

As for security Authorization, the standard approach is to implement a
custom AuthorizationManager so that we can define our own authorization
code logic inside the AuthorizationManager(you can write code which read
authorization rules from config file). Here are some articles about
implementing a custom AuthorizationManager:

#How to: Create a Custom Authorization Manager for a Service
http://msdn.microsoft.com/en-us/library/ms731774.aspx

#How-To: Implement a WCF Authorization Manager Using AzMan
http://weblogs.asp.net/spano/archive...nt-a-wcf-autho
rization-manager-using-azman.aspx

In addition, if you use some certain bindings which support
"TransportCredentialOnly" security mode(such as basicHttpbinding), you can
simply write code in your WCF service to check the current Thread's
security identity. For example, here is an example WCF service which use
basichttpbinding and configured to use "TransportCredentialOnly" + windows
client credential.

=============================
<system.serviceModel>
<services>
<service name="Service" behaviorConfiguration="ServiceBehavior">

<endpoint address="" binding="basicHttpBinding"
bindingConfiguration="secBinding"
contract="IService">

<identity>
<dns value="localhost"/>
</identity>
</endpoint>

</service>
</services>

<bindings>

<basicHttpBinding>
<binding name="secBinding" >
<security mode="TransportCredentialOnly" >
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
===================================

in service code, you can check the client identity via;

=====service method=======
public string GetData(int value)
{
string name = HttpContext.Current.User.Identity.Name;

return string.Format("You entered: {0}", value.ToString() +
Thread.CurrentPrincipal.Identity.Name);
}
============

and in client-side code, you need to supply the correct user credentials:

================
static void Run()
{
WCFSVC.ServiceClient client = new
ConsoleClient.WCFSVC.ServiceClient();

//or you can use the default credentials instead of supply a custom account
client.ClientCredentials.Windows.ClientCredential = new
System.Net.NetworkCredential("username", "Password!");

string ret = client.GetData(5);

Console.WriteLine(ret);
}
==================
Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "Max2006" <al*******@newsgroup.nospam>
Subject: WCF Security: How restrict an endpoint to only response to a given
windows user or group?
Date: Thu, 9 Oct 2008 11:25:31 -0400

Hi,

I am trying to limit my wcf service endpoint to response to only given
windows user or group. How can I do that? Is there any way to configure
that
in the .config file?

Thank you,
Max

Hi Steven,

Since this is a very simple authorization requirement (response only to
DOMAIN\Group) I am wondering if there is any out of the box feature in WCF
to address the requirement.

Thank you,
Max

""Steven Cheng"" <st*****@online.microsoft.comwrote in message
news:AA**************@TK2MSFTNGHUB02.phx.gbl...

Hi Max,

As for security Authorization, the standard approach is to implement a
custom AuthorizationManager so that we can define our own authorization
code logic inside the AuthorizationManager(you can write code which read
authorization rules from config file). Here are some articles about
implementing a custom AuthorizationManager:

#How to: Create a Custom Authorization Manager for a Service
http://msdn.microsoft.com/en-us/library/ms731774.aspx

#How-To: Implement a WCF Authorization Manager Using AzMan
http://weblogs.asp.net/spano/archive...nt-a-wcf-autho
rization-manager-using-azman.aspx

In addition, if you use some certain bindings which support
"TransportCredentialOnly" security mode(such as basicHttpbinding), you can
simply write code in your WCF service to check the current Thread's
security identity. For example, here is an example WCF service which use
basichttpbinding and configured to use "TransportCredentialOnly" + windows
client credential.

=============================
<system.serviceModel>
<services>
<service name="Service" behaviorConfiguration="ServiceBehavior">

<endpoint address="" binding="basicHttpBinding"
bindingConfiguration="secBinding"
contract="IService">

<identity>
<dns value="localhost"/>
</identity>
</endpoint>

</service>
</services>

<bindings>

<basicHttpBinding>
<binding name="secBinding" >
<security mode="TransportCredentialOnly" >
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
===================================

in service code, you can check the client identity via;

=====service method=======
public string GetData(int value)
{
string name = HttpContext.Current.User.Identity.Name;

return string.Format("You entered: {0}", value.ToString() +
Thread.CurrentPrincipal.Identity.Name);
}
============

and in client-side code, you need to supply the correct user credentials:

================
static void Run()
{
WCFSVC.ServiceClient client = new
ConsoleClient.WCFSVC.ServiceClient();

//or you can use the default credentials instead of supply a custom
account
client.ClientCredentials.Windows.ClientCredential = new
System.Net.NetworkCredential("username", "Password!");

string ret = client.GetData(5);

Console.WriteLine(ret);
}
==================
Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
From: "Max2006" <al*******@newsgroup.nospam>
Subject: WCF Security: How restrict an endpoint to only response to a
given
windows user or group?
Date: Thu, 9 Oct 2008 11:25:31 -0400

Hi,

I am trying to limit my wcf service endpoint to response to only given
windows user or group. How can I do that? Is there any way to configure
that
in the .config file?

Thank you,
Max

Thanks for your reply Max,

Yes, since impelementing a pure WCF solution is abit overkill, I first look
for some solution which rely on the ASP.NET authorization (which can
leverage the web.config <authorization>). However, based on my local test,
WCF requests doesn't be processed via that authorization system. And so
far the simple solution I can find is just use windows authentication and
let the identity of client be forwarded to WCF service, and we perform
check on the current thread's security identity to do authorization.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

--------------------
From: "Max2006" <al*******@newsgroup.nospam>
References: <D1**********************************@microsoft.co m>
<AA**************@TK2MSFTNGHUB02.phx.gbl>
Subject: Re: WCF Security: How restrict an endpoint to only response to a
given windows user or group?
Date: Fri, 10 Oct 2008 11:44:17 -0400
Hi Steven,

Since this is a very simple authorization requirement (response only to
DOMAIN\Group) I am wondering if there is any out of the box feature in WCF
to address the requirement.

Thank you,
Max

""Steven Cheng"" <st*****@online.microsoft.comwrote in message
news:AA**************@TK2MSFTNGHUB02.phx.gbl...

Hi Max,

As for security Authorization, the standard approach is to implement a
custom AuthorizationManager so that we can define our own authorization
code logic inside the AuthorizationManager(you can write code which read
authorization rules from config file). Here are some articles about
implementing a custom AuthorizationManager:

#How to: Create a Custom Authorization Manager for a Service
http://msdn.microsoft.com/en-us/library/ms731774.aspx

#How-To: Implement a WCF Authorization Manager Using AzMan

http://weblogs.asp.net/spano/archive...nt-a-wcf-autho

rization-manager-using-azman.aspx

In addition, if you use some certain bindings which support
"TransportCredentialOnly" security mode(such as basicHttpbinding), you can
simply write code in your WCF service to check the current Thread's
security identity. For example, here is an example WCF service which use
basichttpbinding and configured to use "TransportCredentialOnly" + windows
client credential.

Hi Steven,

>And so far the simple solution I can find is just use windows
authentication and let the identity of client be forwarded to WCF
service, and we perform check on the current thread's security identity
to do authorization.

We have 740 service methods and we want to secure them. It is a questionable
architecture if we have to add the check code to any single method.
Is there anyway in WCF to add the authorization behavior to all services?

Thank you,
Max

""Steven Cheng"" <st*****@online.microsoft.comwrote in message
news:oS**************@TK2MSFTNGHUB02.phx.gbl...

Thanks for your reply Max,

Yes, since impelementing a pure WCF solution is abit overkill, I first
look
for some solution which rely on the ASP.NET authorization (which can
leverage the web.config <authorization>). However, based on my local test,
WCF requests doesn't be processed via that authorization system. And so
far the simple solution I can find is just use windows authentication and
let the identity of client be forwarded to WCF service, and we perform
check on the current thread's security identity to do authorization.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

--------------------
From: "Max2006" <al*******@newsgroup.nospam>
References: <D1**********************************@microsoft.co m>
<AA**************@TK2MSFTNGHUB02.phx.gbl>
Subject: Re: WCF Security: How restrict an endpoint to only response to a
given windows user or group?
Date: Fri, 10 Oct 2008 11:44:17 -0400
Hi Steven,

Since this is a very simple authorization requirement (response only to
DOMAIN\Group) I am wondering if there is any out of the box feature in WCF
to address the requirement.

Thank you,
Max

""Steven Cheng"" <st*****@online.microsoft.comwrote in message
news:AA**************@TK2MSFTNGHUB02.phx.gbl...

>Hi Max,

As for security Authorization, the standard approach is to implement a
custom AuthorizationManager so that we can define our own authorization
code logic inside the AuthorizationManager(you can write code which read
authorization rules from config file). Here are some articles about
implementing a custom AuthorizationManager:

#How to: Create a Custom Authorization Manager for a Service
http://msdn.microsoft.com/en-us/library/ms731774.aspx

#How-To: Implement a WCF Authorization Manager Using AzMan

http://weblogs.asp.net/spano/archive...nt-a-wcf-autho

>rization-manager-using-azman.aspx

In addition, if you use some certain bindings which support
"TransportCredentialOnly" security mode(such as basicHttpbinding), you
can
simply write code in your WCF service to check the current Thread's
security identity. For example, here is an example WCF service which use
basichttpbinding and configured to use "TransportCredentialOnly" +
windows
client credential.

"Max2006" <al*******@newsgroup.nospamwrote in message
news:06**********************************@microsof t.com...

Hi Steven,

>>And so far the simple solution I can find is just use windows
authentication and let the identity of client be forwarded to WCF
service, and we perform check on the current thread's security identity
to do authorization.

We have 740 service methods and we want to secure them. It is a
questionable architecture if we have to add the check code to any single
method.
Is there anyway in WCF to add the authorization behavior to all services?

There is. See this month's MSDN Magazine in the Service Station column.
That's what it is about.

BTW, I find there are more WCF experts in the WCF Forum at
http://social.msdn.microsoft.com/for...S/wcf/threads/.
--
John Saunders | MVP - Connected System Developer