Welcome to MSDN Blogs Sign in | Join | Help

Demanding Permissions

How do I restrict access to an operation to particular Windows users?

There are three standard ways of doing something in WCF: through code, through attributes, and through configuration. Let's try to solve the problem using each of these methods.

Restricting access through code is done by creating a custom ServiceAuthorizationManager. Restricting access to a service operation could be done this way by looking up the service operation during the access check and comparing the caller's SID to the list of approved users. This method seems pretty clunky because it brings in a lot of service machinery unrelated to the service operation we want to secure. However, this method also seems pretty flexible because we can be very creative about how the authorization is performed if we want to go beyond simply evaluating membership.

Restricting access through attributes is done by making PrincipalPermission demands. Restricting access to a service operation could be done this way by decorating the service operation with role or user based demands. The best practice recommends using roles instead of specific users because it helps with administration, which is probably good advice for all of these approaches. Using principal permissions requires actually having the right principal for the current thread. Some extra code may end up being required anyways if the client invocation doesn't propagate the right kind of information.

Restricting access through configuration is done by setting up an external authorization provider. When in compatibility mode, there is some handy functionality provided by the ASP.NET pipeline to provide authorization integrated with ASP.NET membership providers. Even without ASP.NET though, the generic Authorization Manager can be used to manage and provide roles.

I like using the attributed-based method but that's because I don't like to type a lot of code and because I rarely need to worry about deploying services on multiple systems. Each of the methods has its own strengths and weaknesses so there isn't a universal choice that's best for everyone.

Next time: Suppressing Transactions During an Operation

Published Thursday, January 10, 2008 5:00 AM by Nicholas Allen

Comments

Thursday, January 10, 2008 3:42 PM by Nicholas Allen's Indigo Blog

# Basing Authorization on the Message Body

How do I use a field in the message to answer an authorization request in ServiceAuthorizationManager?

Thursday, January 10, 2008 4:08 PM by Dan Finucane

# re: Demanding Permissions

My favorite way to date to secure access to operations was through Windows Authorization Manager.  It worked something like this:

*Create an Windows Authorization Manager authorization store using it's MMC snap-in.

*Create an application and add operation definitions and tasks to rollup the operations into a higher level concept.

*Create Windows Authorization Manager groups and assign rights to individual operations or tasks or both.

*Use the Windows Authorization Manager API to allow or reject access to web service operations.  In .NET 1.1 web sites I did this by creating an Attribute derived class called OperationRequiredAttribute that took an operation name and I decorated operations with it and then I had an HttpModule that used the AzMan API's to see if the requesting client was allowed to perform the operation in question.

It worked great and I kept expecting Microsoft to provide this AzMan integration out of the box but I haven't seen it and when I posted a message to the AzMan newsgroup they had nothing to say.

Its a great model to secure operations or web pages by 'operation' instead of user or group because you can completely redo the site or services security policy simply by moving things around in the AzMan mmc.  For example, if a customer support mailbox was at the time of development supposed to be able to use the DeleteMailbox operation but later it was decided they shouldn't it only takes a simple change in the AzMan mmc to make the change whereas if you secure by group you have to go remove the PrincipalPermissionAttribute from the DeleteMailbox operation.

What is the best way to integrate AzMan security into WCF?  Is there another way to accomplish the same thing?  Is there some reason AzMan support hasn't been integrated?

Thanks.

danf@brookdaleconsulting.com

New Comments to this post are disabled
 
Page view tracker