开发者

WCF/ASP.NET Authentication

开发者 https://www.devze.com 2023-02-07 12:11 出处:网络
My scenario is a 3-Tier app where the data tier is a SQL Server database, the middle tier is a WCF application hosted in a Windows Service and finally the presentation is an Asp.Net MVC application.

My scenario is a 3-Tier app where the data tier is a SQL Server database, the middle tier is a WCF application hosted in a Windows Service and finally the presentation is an Asp.Net MVC application.

As usual, the middle tier is the one that performs all of the business logic. Access database, define business rules.. etc.

Okay, so far so good! BUT now here's question: How do you handle security in such a scenario? I mean, the user has to log in on the ASP.NET application, but I want to authenticate it开发者_如何学运维 not only in ASP but in the WCF middle tier as well, since a WCF service is supposed to be accessed by more apps.

I want the user to log in on the Asp.Net application and let WCF know the credentials as well. Is there some kind of session in WCF in which to specify a logged in user?

How do pros handle security in this case? I know you can secure the WCF services with message security, but how do Asp.Net and WCF sync on a single logged user? I want to secure WCF operations depending on the user for authorization means.


I would suggest looking into using an approach like HMAC (Hash Message Authentication Code) for your security, or a similar token-based approach. The idea would be to sign your requests to your WCF layer which can be used to authenticate the request and identify the user making the request.

The essential elements would be a token and a shared secret of some sort used for signing each request. The token would allow you to identify the user on the WCF end, and lookup the shared secret to verify the request. You can also added timestamps / nonces to prevent replay attacks and such.

I've used this approach for some REST services built on WCF - with the added benefit that clients do not need to store usernames and passwords, just the security tokens used for communication. In your case you'll need to sort out how to exchange the tokens between the ASP.NET layer and the WCF layer, but it would provide you a unified authentication method for any consumer of your WCF services.


Have look here for UserName Password authentication.

ASP.NET Web Site + Windows Forms App + WCF Service: Client Credentials //for insights

0

精彩评论

暂无评论...
验证码 换一张
取 消