How to authenticate, filter, and verify WCF-based oData result?_问答_开发者

How to authenticate, filter, and verify WCF-based oData result?

开发者 https://www.devze.com 2023-01-24 08:26 出处：网络

Can someone tell me if it\'s possible to do this with my WCF-based oData feed, and let me knlow what to search for or how to get started?

Can someone tell me if it's possible to do this with my WCF-based oData feed, and let me knlow what to search for or how to get started?

1) Authenticate - I'd like to make sure that the oData service is only accessed by someone who has already authenticated using the ASP.NET membership system

2) Filter - Suppose I'm returning a list of student classes... I'd like to make it so that students only see开发者_如何学编程 classes they enrolled in (based on username) and not the ones for that haven't yet been published.

3) Verify - I'm not sure if this is needed, but just in case some clever hacker finds a hole in MSFT's oData protocol, I'd like to verify the results of my Entity Framework data prior to streaming to the client. This would apply if there is a singleton DAL, thus creating concurrency issues. See 5:15 of this video for an example.

The test I want to do is verify that every row returned has a username column that equals the current session username.

[EDIT]

4) Encrypt - This is similar to #3, but I'd like to obfuscuate the primary key before it is sent to the client. In one case, the PK is the social security number and I don't want that being cached, or otherwise sent downstream. I would need to decrypt this on an oData write as well.

1) Authentication - as mentioned by Coding Gorilla above there's a series of posts on the WCF Data Services blog on how to implement different kinds of authentication.

2) Filter - this is exactly what query interceptors are for. See for example this article on MDSN http://msdn.microsoft.com/en-us/library/dd744837.aspx

3) Verify - if you think you really need to this, it might be a bit tricky. Currently WCF Data Services doesn't have an extensibility point which you could plugin easily to see the results being written out. You might be able to wrap the IQueryable instances returned by EF and do the verification when the results are enumerated, but I haven't seen that done yet, so don't know if it will work.

4) This will be tricky just in WCF Data Services. I would try to do this inside EF alone (not sure if it's possible though). The problem is that the key properties are used to address the entities, so they show up in URLs and queries. So you would not only need to decrypt them in the payloads but also in the query itself which would be a lot of work. Maybe somebody with more EF experience will know how to do this in EF alone (in which case WCF Data Services would see just the encrypted values and everything would work)