Skip to main content

Authorization


This blog is a continuation of WCF security blog.

Authorization in WCF

Using Impersonation

1. Open the application that you created using WCF Security blog.

2. Let's say the application requires that the user who invokes a method is authorized to make changes to a file or write to a folder. To do this, we have to enable authorization. In the previous exercise we used the user, user2 to invoke the methods in the service. Let's now check if the user2 is authorized to write to a folder. 

3. Change the SubmitReview method in Service project as given below: 

void IProductService.SubmitReview(ProductReview pr)
{
   using (FileStream stream = new FileStream("lastMessage.xml", FileMode.Create, FileAccess.Write))
   {
     DataContractSerializer dcs = new DataContractSerializer(typeof(ProductReview));
     dcs.WriteObject(stream, pr);
   }
   Reviews.Add(pr);
}

4. Run and test the application. It should work alright now. This is because host process's identity (current user's identity) is used to invoke the SubmitReview method. To use the identity provided by the client's clientCredentials and to authorize based on the windows access control list, do the following changes to the service implementation. 

[OperationBehavior(Impersonation=ImpersonationOption.Required)]
void IProductService.SubmitReview(ProductReview pr)

5. Run and test the application again. Notice that this time it failed. Try providing access to User2 and execute the application again. 


Using Role Based Authorization

6. Create a user group in your computer and add users to the group. Use the instructions here.  

7. Do the following changes to the service implementation:

        //[OperationBehavior(Impersonation=ImpersonationOption.Required)]
        [PrincipalPermission(SecurityAction.Demand, Role="YourComputerName\\Customers")]
        void IProductService.SubmitReview(ProductReview pr)


8. Run and test. First, let the client use identity of users who are not in the group. Then, test with users who are in the group. If the user identity used by the client is not in the group then it should throw an exception on the client end. 

References and Links


Authentication and Authorization in WCF Services - Part 1 - https://msdn.microsoft.com/en-us/library/ff405740.aspx


Comments

Post a Comment

Popular posts from this blog

A Comprehensive Evaluation of the Internal Consulting Process: Steps and Considerations

Introduction Internal consulting has emerged as a critical function within organizations, offering in-house expertise to solve complex business problems and drive change. It closely mirrors external consulting in methodology but is differentiated by the consultant's intimate knowledge of the organization and a vested interest in its long-term success. This article aims to evaluate the key steps involved in the internal consulting process, offering insights into each phase's significance and challenges. Steps in the Internal Consulting Process The internal consulting process can generally be segmented into five distinct stages: Initial Assessment, Data Collection and Analysis, Solution Development, Implementation, and Evaluation. Below is an evaluation of each step: Step 1: Initial Assessment Objective: To understand the problem or opportunity area and define the scope of the project. Significance: A well-defined scope ensures that the consulting project stays focused and manage...
Post a Comment
Read more

The Evolving Landscape of Consulting Practice: Changes and Implications

Introduction Consulting is a field that thrives on its ability to adapt to market demands and emerging trends. As businesses evolve due to technological advancements, shifts in consumer behavior, and fluctuations in global markets, consulting practices must keep pace. This article explores some of the significant changes currently transforming the consulting industry and discusses their implications for both consultants and clients. Technological Disruption Data Analytics and Artificial Intelligence Consulting firms are increasingly integrating data analytics and artificial intelligence into their service offerings. These technologies allow consultants to offer data-driven insights that can significantly enhance strategic decision-making. This evolution means consultants now need skills in data interpretation and analysis, alongside their traditional expertise in business strategy. Virtual Consulting Platforms The advent of digital platforms enables consulting services to be offered re...
Post a Comment
Read more

The Imperative of Transition Structure in Implementing Change and A Model for Effective Transition

Introduction Organizational change is an inevitable phenomenon in the dynamic business landscape of today. While the conception of change is significant, its successful implementation is even more crucial. One key factor that often determines the success of implementing change is the presence of a well-designed transition structure. This article aims to discuss the necessity of having a transition structure in place and proposes a model to effectively guide the transition during organizational change. The Need for a Transition Structure Aligning Stakeholders Any significant change involves a variety of stakeholders, from senior management to front-line employees. A transition structure ensures that all parties are aligned, understand their roles, and are committed to the objectives of the change. Mitigating Risks Change often comes with risks, such as resistance from employees, potential loss in productivity, or lapses in quality. A structured approach can help mitigate these risks by ...
Post a Comment
Read more