Implement Role Based Security Using Windows Groups In Wcf
1. http://dotnetdlr.com
Implement Role based security using
Windows Groups in WCF
This is third blog on security concept in WCF. You can read previous posts:
Something about Security in WCF- I
Implement windows authentication and security in WCF Service
Today I’ll describe how we can implement role based authorization using Windows Group. In
this case you will not need to maintain any information in database because roles are managing
through windows group.
Step1: Create Windows Group
MarketServiceSuperUser in “Windows Users and Groups” in control panel. This group will
be treated as roles in application.
Step2: Add users to windows Group. In this case user will be member of this group.
2. http://dotnetdlr.com
Step 3: Implement Role based security in Service side.
The principal in .NET is any object that implements the IPrincipal interface, defined in the
System.Security.Principal namespace:
public interface IPrincipal
{
IIdentity Identity
{get;}
bool IsInRole(string role);
}
3. http://dotnetdlr.com
The IsInRole() method simply returns true if the identity associated with this principal is a
member of the specified role, and false otherwise.
Programmatic Implementation
public double GetMarketPrice(string symbol)
{
IPrincipal principal = Thread.CurrentPrincipal;
if (!principal.IsInRole("MarketServiceSuperUser"))
throw new AuthenticationException("Access Denied");
GetServiceContext();
//TODO: Fetch market price
//sending hardcode value
if (!symbol.EndsWith(".NSE"))
throw new FaultException(
new ValidationException { ValidationError = "Symbol is not
valid" },
new FaultReason("Validation Failed"));
//send real price
return 34.4d;
}
Principal object contains caller’s identity and can be check if role is valid for this user. If Client
user is not member of windows group then IsInRole will return false.
Declarative Implementation
Above behavior can also be implemented by PrincipalPermission attribute which take
SecurityAction enum and role name.
[PrincipalPermission(SecurityAction.Demand, Role =
"MarketServiceSuperUser")]
public double GetMarketPrice(string symbol)
{
//sending hardcode value
if (!symbol.EndsWith(".NSE"))
throw new FaultException(new
4. http://dotnetdlr.com
ValidationException { ValidationError = "Symbol is not valid"
},
new FaultReason("Validation Failed"));
//send real price
return 34.4d;
}
Step 4: Run Client Application
Run with User which are not member of MarketServiceSuperUser.
static void Main(string[] args)
{
try
{
Console.WriteLine("Connecting to Service..");
var proxy = new ServiceClient(new NetTcpBinding(),
new EndpointAddress("net.tcp://localhost:8000/MarketService"));
proxy.ClientCredentials.Windows.ClientCredential.Domain =
"domainuser";
proxy.ClientCredentials.Windows.ClientCredential.UserName =
"MarketServiceUser";
proxy.ClientCredentials.Windows.ClientCredential.Password = "123456";
Console.WriteLine("MSFT Price:{0}",
proxy.GetMarketPrice("MSFT.NSE"));
Console.WriteLine("Getting price for Google");
double price = proxy.GetMarketPrice("GOOG.NASDAQ");
}
catch (FaultException ex)
{
Console.WriteLine("Service Error:" + ex.Detail.ValidationError);
}
catch (Exception ex)
{
Console.WriteLine("Service Error:" + ex.Message);
}
Console.ReadLine();
}
In above code client will call with user which is member of MarketServiceSuperUser, service
will authorize to access resources in service.
Run with User which are not member of MarketServiceSuperUser.
proxy.ClientCredentials.Windows.ClientCredential.Domain = "domainuser";
proxy.ClientCredentials.Windows.ClientCredential.UserName =
"MarketServiceInvalidUser";
proxy.ClientCredentials.Windows.ClientCredential.Password = "123456";
In this case SecurityAccessDeniedException will generate with “Access Denied” message.