Tuesday, 12 June 2012

WCF REST 4.0 Authorization & Form Authentication (SetAuthCookie)

Windows Communication Foundation provides tons of methods to authenticate users' check for authorization based on service type and it is quite confusing to implement simple form based authentication and role based authorization for WCF REST 4.0.
Note: This article assumes that WCF REST service is hosted with ASP.NET application and shares the same web.config. Make sure that Form Authentication is enabled in web.config file.

Something like this
WebGet(UriTemplate = "")]
[PrincipalPermission(SecurityAction.Demand, Role="Admin")]
public List<SampleItem> GetCollection(){}

But even though after user is authenticated using Membership provider and HTTPContext.Current.User.Identity and the context is available at service level, the principal permission attribute always throws a security exception.

The reason for that is because principal permission attribute checks for System.Threading.Thread.CurrentPrincipal.Identity and not for HTTPContext Identity.
To solve this problem, we have to create a Custom Principal and Authorization Policy for WCF Service. Then this Policy will be hooked with WCF REST Service using ServiceBehaviour.

For detailed code follow my post codeproject.com written sometime back.

Monday, 4 June 2012

Migrating FBA' User from MOSS 2007 to SP 2010

I remembered writing a power shell script to migrate forma based authentication user to claim based while working in one of the MOSS 2007 to SP 2010 migration project. I also shared the power shell script in one of the blog. But next time when I required it, I could not find it easily. So now it's time I realize to start my blog. Here I am documenting and sharing some code.

Here is the original post. (Yes my name is Anu too)
Jasper's Blog

The easy way is a simple Powershell script:

$w = Get-SPWebApplication(“url”)

But this script seems to have a hard coded limit to the number of users it handles or sometimes does not work. I had more then 5k users in my database, which resulted in not all users being converted. When you need to convert more, I has provided a Powershell script which will do this:

[System.Reflection.Assembly]::LoadWithPartialName(“System.Web”) | Out-Null
[System.Reflection.Assembly]::LoadWithPartialName(“Microsoft.SharePoint”) | Out-Null
[System.Reflection.Assembly]::LoadWithPartialName(“Microsoft.SharePoint.Administration”) | Out-Null
$spFarm = [Microsoft.SharePoint.Administration.SPfarm]::Local
$site = New-Object Microsoft.SharePoint.SPSite(“yoursitename”);
$site.RootWeb.SiteUsers | ForEach-Object {
$name = $_.LoginName
#Write-Host $name
Write-Host $name
$newName = $name.Replace(“providername:”, “i:0#.f|providername|”)
Write-Host $newName
$spFarm.MigrateUserAccount($name, $newName, $False)
Write-Host “Migrated User:”

This script uses the MigrateUserAccount command to convert a single user, and loops through all users which have not yet been converted. You can tell by the format of the username; old 2007 users will be in the format ´providername:username´, new ones will look like ´i:0#.f|providername|username´.