Implement Role Based Security Using Windows Groups In Wcf


Published on

document entails practical implementation of role based authorization through windos group.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Implement Role Based Security Using Windows Groups In Wcf

  1. 1. http://dotnetdlr.comImplement Role based security usingWindows Groups in WCFThis is third blog on security concept in WCF. You can read previous posts:Something about Security in WCF- IImplement windows authentication and security in WCF ServiceToday I’ll describe how we can implement role based authorization using Windows Group. Inthis case you will not need to maintain any information in database because roles are managingthrough windows group.Step1: Create Windows GroupMarketServiceSuperUser in “Windows Users and Groups” in control panel. This group willbe treated as roles in application.Step2: Add users to windows Group. In this case user will be member of this group.
  2. 2. http://dotnetdlr.comStep 3: Implement Role based security in Service side.The principal in .NET is any object that implements the IPrincipal interface, defined in theSystem.Security.Principal namespace:public interface IPrincipal{IIdentity Identity{get;}bool IsInRole(string role);}
  3. 3. http://dotnetdlr.comThe IsInRole() method simply returns true if the identity associated with this principal is amember of the specified role, and false otherwise.Programmatic Implementation public double GetMarketPrice(string symbol) { IPrincipal principal = Thread.CurrentPrincipal; if (!principal.IsInRole("MarketServiceSuperUser")) throw new AuthenticationException("Access Denied"); GetServiceContext(); //TODO: Fetch market price //sending hardcode value if (!symbol.EndsWith(".NSE")) throw new FaultException( new ValidationException { ValidationError = "Symbol is notvalid" }, new FaultReason("Validation Failed")); //send real price return 34.4d; }Principal object contains caller’s identity and can be check if role is valid for this user. If Clientuser is not member of windows group then IsInRole will return false.Declarative ImplementationAbove behavior can also be implemented by PrincipalPermission attribute which takeSecurityAction enum and role name. [PrincipalPermission(SecurityAction.Demand, Role ="MarketServiceSuperUser")] public double GetMarketPrice(string symbol) { //sending hardcode value if (!symbol.EndsWith(".NSE")) throw new FaultException(new
  4. 4. ValidationException { ValidationError = "Symbol is not valid"}, new FaultReason("Validation Failed")); //send real price return 34.4d; }Step 4: Run Client Application  Run with User which are not member of MarketServiceSuperUser.static void Main(string[] args) { try { Console.WriteLine("Connecting to Service.."); var proxy = new ServiceClient(new NetTcpBinding(), new EndpointAddress("net.tcp://localhost:8000/MarketService")); proxy.ClientCredentials.Windows.ClientCredential.Domain ="domainuser"; proxy.ClientCredentials.Windows.ClientCredential.UserName ="MarketServiceUser"; proxy.ClientCredentials.Windows.ClientCredential.Password = "123456"; Console.WriteLine("MSFT Price:{0}",proxy.GetMarketPrice("MSFT.NSE")); Console.WriteLine("Getting price for Google"); double price = proxy.GetMarketPrice("GOOG.NASDAQ"); } catch (FaultException ex) { Console.WriteLine("Service Error:" + ex.Detail.ValidationError); } catch (Exception ex) { Console.WriteLine("Service Error:" + ex.Message); } Console.ReadLine(); }In above code client will call with user which is member of MarketServiceSuperUser, servicewill authorize to access resources in service.  Run with User which are not member of MarketServiceSuperUser.proxy.ClientCredentials.Windows.ClientCredential.Domain = "domainuser";proxy.ClientCredentials.Windows.ClientCredential.UserName ="MarketServiceInvalidUser";proxy.ClientCredentials.Windows.ClientCredential.Password = "123456";In this case SecurityAccessDeniedException will generate with “Access Denied” message.
  5. 5. http://dotnetdlr.comI hope this post brief you about implementation of role base security using windows group.