Role based authorization on top of WCF HTTP

Topics: Web Api
May 3, 2011 at 10:40 PM

i'm trying to implement some role based security on top of a set of API services we are building on the web api.

essentially, want to use some type of 'isinrole', (probably using WIF for future claims-based authz), and authorize the API calls.

Do i need to make a call inside of each get/post method in a resource?

Any recommendations / gotchas on doing this. Seems like i would want the authz to be checked before an http request hits any formatters, but i dont know exactly how to enforce that.

Thanks!

John Reynolds

 

May 3, 2011 at 10:48 PM
Edited May 3, 2011 at 10:49 PM

Hey John,

Check out Pablo's Blog:

http://weblogs.asp.net/cibrax/archive/2011/02/04/authenticating-clients-in-the-new-wcf-http-stack.aspx

http://weblogs.asp.net/cibrax/archive/2011/04.aspx (last post)

And Alexander's:

http://blog.alexonasp.net/post/2011/03/02/Using-WCF-Web-APIs-WCF-Http-with-ASPNET-Forms-Authentication.aspx

May 3, 2011 at 11:57 PM

ASP.NET authorization works great with WCF Web. All you have to do is create a physical directory that corresponds to your route, and add a web.config file with the appropriate markup. For example, add a web.config file with these contents:

<?xml version="1.0"?>
<configuration>
    <system.web>
        <authorization>
            <allow roles="RegisteredUsers"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</configuration>

in a folder called "Private" in your web service. This will deny access to any route starting with "Private" to anybody not in the "RegisteredUsers" role.

So you will need to make all your "locked down" routes start with "Private". For example, "Private/Route1" and "Private/Route2".

It's really convenient that ASP.NET checks for the existence of web.config files in physical folders to perform authorization checks on resources that don't have a physical file presence.

May 3, 2011 at 11:59 PM

Perfect! Thanks to both of you guys.

I'll probably start with the config based auth to get off the ground, and then use the authentication interceptor approach as our security requirements get more complex.