WCF/ASP.NET Authentication

9
votes

My scenario is a 3-Tier app where the data tier is a SQL Server database, the middle tier is a WCF application hosted in a Windows Service and finally the presentation is an Asp.Net MVC application.

As usual, the middle tier is the one that performs all of the business logic. Access database, define business rules.. etc.

Okay, so far so good! BUT now here's question: How do you handle security in such a scenario? I mean, the user has to log in on the ASP.NET application, but I want to authenticate it not only in ASP but in the WCF middle tier as well, since a WCF service is supposed to be accessed by more apps.

I want the user to log in on the Asp.Net application and let WCF know the credentials as well. Is there some kind of session in WCF in which to specify a logged in user?

How do pros handle security in this case? I know you can secure the WCF services with message security, but how do Asp.Net and WCF sync on a single logged user? I want to secure WCF operations depending on the user for authorization means.

2
asp.netwcfwcf-security
This is too big a question to handle on SO - it takes up 50 pages in the WCF training kit. Suggest you start with some research and then post any specific questions you have - mscerts.net/programming/…Greg Sansom
An N-Tier app? What is N? 2? 3? 20?Charles Boyung
This is phrased in a vague general way but the question is still valid. I want the user authenticated by ASP.NET to be passed up the chain to the WCF service as the logged-in user. Why is that so hard?DaveN59

2 Answers

2
votes

I would suggest looking into using an approach like HMAC (Hash Message Authentication Code) for your security, or a similar token-based approach. The idea would be to sign your requests to your WCF layer which can be used to authenticate the request and identify the user making the request.

The essential elements would be a token and a shared secret of some sort used for signing each request. The token would allow you to identify the user on the WCF end, and lookup the shared secret to verify the request. You can also added timestamps / nonces to prevent replay attacks and such.

I've used this approach for some REST services built on WCF - with the added benefit that clients do not need to store usernames and passwords, just the security tokens used for communication. In your case you'll need to sort out how to exchange the tokens between the ASP.NET layer and the WCF layer, but it would provide you a unified authentication method for any consumer of your WCF services.

0
votes

Have look here for UserName Password authentication.

ASP.NET Web Site + Windows Forms App + WCF Service: Client Credentials //for insights