Tuesday, 12 June 2012

WCF REST 4.0 Authorization & Form Authentication (SetAuthCookie)

Windows Communication Foundation provides tons of methods to authenticate users' check for authorization based on service type and it is quite confusing to implement simple form based authentication and role based authorization for WCF REST 4.0.
Note: This article assumes that WCF REST service is hosted with ASP.NET application and shares the same web.config. Make sure that Form Authentication is enabled in web.config file.

Something like this
WebGet(UriTemplate = "")]
[PrincipalPermission(SecurityAction.Demand, Role="Admin")]
public List<SampleItem> GetCollection(){}

But even though after user is authenticated using Membership provider and HTTPContext.Current.User.Identity and the context is available at service level, the principal permission attribute always throws a security exception.

The reason for that is because principal permission attribute checks for System.Threading.Thread.CurrentPrincipal.Identity and not for HTTPContext Identity.
To solve this problem, we have to create a Custom Principal and Authorization Policy for WCF Service. Then this Policy will be hooked with WCF REST Service using ServiceBehaviour.

For detailed code follow my post codeproject.com written sometime back.

No comments:

Post a Comment