RESTful webservice authentication RSS

• • Reply
  

  percybhai

  0 Points

  3 Posts

  RESTful webservice authentication

  Dec 20, 2009 12:52 PM|LINK

  Hi,

  
  

  How to restrict the access to resful webservice in WCF 3.5?i just want the access to the webservice be available to selected users,i dont want certificate based authentication.How to achieve this?
  

  
  

  • Moved by Mikesdotnetting on Dec 20, 2009 01:45 PM
• • Reply
  

  stiletto

  All-Star

  16995 Points

  3304 Posts

  Re: RESTful webservice authentication

  Dec 23, 2009 12:20 PM|LINK

  You just package the current user credentials (whatever they may be) as part of the request.

  If you can't add them as specific parameters, I've seen techniques where they credentials are added to the headers being sent with the request.
  

• • Reply
  

  PAULSC

  Member

  41 Points

  22 Posts

  Re: RESTful webservice authentication

  Apr 17, 2011 08:37 PM|LINK

  As stiletto says - you should be able to place the authorization into the headers - although to be honest I'm having fun and games getting that working. You could of course pass some kind of token in the parameters but this quickly becomes a royal pain - and validation has to be added to each and every method.

  Adding it to the Headers also means you can intercept the message before it gets to the methods themselves - this allows you to seperate the security handling code from the implementation - and it does not need to execute the method in order to validate the user.

  That's the theory anyway.

   

• • Reply
  

  paodeoro

  Member

  4 Points

  2 Posts

  Re: RESTful webservice authentication

  Jun 16, 2011 06:39 PM|LINK

  You can let IIS do the authentication. Put this in web.config
  
   
  
  <authentication mode="Windows"/>
  
   
  
  Using IIS Manager configure enable Authentication in the Web application hosting the REST WCF service.
  
  I have successfully used Basic, Digest and Windows authentication.
  
  Client certificate is also supported (did not try that yet).
  
  The Authentication is performed by the Active Directory or the local windows users NT security.
  
   
  
  The MS REST HttpClient takes care of generating the correct HTTP headers according to HTTP  authentication standards.
  
   
  
  Notes:
  
  -          Don’t use Basic Authentication over HTTP. Basic Authentication is OK only over HTTPS.
  
  -          Windows authentication does not work across firewalls (or the Internet).
  
  -          Digest is a good choice for HTTP and Internet but the password must be stored using reversible encryption
  
  -          To avoid doubling every call to IIS use:  HttpClient.TransportSettings.PreAuthenticate = true;
  
   
  
  Role base security using Active Directory or local user groups  is already available using, for example,

  the technique to decorate you REST WCF entry point with something like:
  
  [PrincipalPermission(SecurityAction.Demand, Role = "SomeUserGroupName")]
  
   
  
  If you implement your custom role provider add this serviceBehaviors to the REST service in the web.config

  
        <serviceBehaviors>
  
          <behavior>
  
            <serviceAuthorization principalPermissionMode="UseAspNetRoles" />
  
          </behavior>
  
        </serviceBehaviors>
  
   
  
  In some cases you may want to implement a custom  Authentication provider (Membership provider).
  
  But that’s an entire new ball of wax that I’m still trying to figure out.

  • Edited by paodeoro on Jun 16, 2011 06:41 PM
  • Edited by paodeoro on Jun 16, 2011 06:42 PM
  • Edited by paodeoro on Jun 16, 2011 06:43 PM