Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Jun 16, 2011 06:39 PM by paodeoro
Dec 20, 2009 12:52 PM|LINK
How to restrict the access to resful webservice in WCF 3.5?i just want the access to the webservice be available to selected users,i dont want certificate based authentication.How to achieve this?
Dec 23, 2009 12:20 PM|LINK
You just package the current user credentials (whatever they may be) as part of the request.
If you can't add them as specific parameters, I've seen techniques where they credentials are added to the headers being sent with the request.
Apr 17, 2011 08:37 PM|LINK
As stiletto says - you should be able to place the authorization into the headers - although to be honest I'm having fun and games getting that working. You could of course pass some kind of token in the parameters but this quickly becomes a royal pain -
and validation has to be added to each and every method.
Adding it to the Headers also means you can intercept the message before it gets to the methods themselves - this allows you to seperate the security handling code from the implementation - and it does not need to execute the method in order to validate
That's the theory anyway.
Jun 16, 2011 06:39 PM|LINK
You can let IIS do the authentication. Put this in web.config <authentication mode="Windows"/> Using IIS Manager configure enable Authentication in the Web application hosting the REST WCF service.I have successfully used Basic, Digest and Windows authentication.Client certificate is also supported (did not try that yet).The Authentication is performed by the Active Directory or the local windows users NT security. The MS REST HttpClient takes care of generating the correct HTTP headers according to HTTP authentication standards. Notes:- Don’t use Basic Authentication over HTTP. Basic Authentication is OK only over HTTPS.- Windows authentication does not work across firewalls (or the Internet).- Digest is a good choice for HTTP and Internet but the password must be stored using reversible encryption- To avoid doubling every call to IIS use: HttpClient.TransportSettings.PreAuthenticate = true; Role base security using Active Directory or local user groups is already available using, for example,
the technique to decorate you REST WCF entry point with something like:[PrincipalPermission(SecurityAction.Demand, Role = "SomeUserGroupName")] If you implement your custom role provider add this serviceBehaviors to the REST service in the web.config
<serviceBehaviors> <behavior> <serviceAuthorization principalPermissionMode="UseAspNetRoles" /> </behavior> </serviceBehaviors> In some cases you may want to implement a custom Authentication provider (Membership provider).But that’s an entire new ball of wax that I’m still trying to figure out.