Token based Authentication for WCF HTTP/REST Services: Authorization
Posted
by Your DisplayName here!
on Least Privilege
See other posts from Least Privilege
or by Your DisplayName here!
Published on Wed, 16 Nov 2011 08:11:50 GMT
Indexed on
2011/11/16
10:22 UTC
Read the original article
Hit count: 827
IdentityModel
|IdentityServer
In the previous post I showed how token based authentication can be implemented for WCF HTTP based services.
Authentication is the process of finding out who the user is – this includes anonymous users. Then it is up to the service to decide under which circumstances the client has access to the service as a whole or individual operations. This is called authorization.
By default – my framework does not allow anonymous users and will deny access right in the service authorization manager. You can however turn anonymous access on – that means technically, that instead of denying access, an anonymous principal is placed on Thread.CurrentPrincipal. You can flip that switch in the configuration class that you can pass into the service host/factory.
var configuration = new WebTokenWebServiceHostConfiguration
{
AllowAnonymousAccess = true
};
But this is not enough, in addition you also need to decorate the individual operations to allow anonymous access as well, e.g.:
[AllowAnonymousAccess]
public string GetInfo()
{
...
}
Inside these operations you might have an authenticated or an anonymous principal on Thread.CurrentPrincipal, and it is up to your code to decide what to do.
Side note: Being a security guy, I like this opt-in approach to anonymous access much better that all those opt-out approaches out there (like the Authorize attribute – or this.).
Claims-based Authorization
Since there is a ClaimsPrincipal available, you can use the standard
WIF claims authorization manager infrastructure – either declaratively via ClaimsPrincipalPermission or
programmatically (see also here).
[ClaimsPrincipalPermission(SecurityAction.Demand,
Resource = "Claims",
Operation = "View")]
public ViewClaims GetClientIdentity()
{
return new ServiceLogic().GetClaims();
}
In addition you can also turn off per-request authorization (see here for background) via the config and just use the “domain specific” instrumentation.
While the code is not 100% done – you can download the current solution here.
HTH
(Wanna learn more about federation, WIF, claims, tokens etc.? Click here.)
© Least Privilege or respective owner
