implement role based security using windows groups in wcf
DESCRIPTION
document entails practical implementation of role based authorization through windos group.TRANSCRIPT
httpdotnetdlrcom
Implement Role based security using Windows Groups in WCF
This is third blog on security concept in WCF You can read previous posts
Something about Security in WCF- I
Implement windows authentication and security in WCF Service
Today Irsquoll describe how we can implement role based authorization using Windows Group In
this case you will not need to maintain any information in database because roles are managing
through windows group
Step1 Create Windows Group
MarketServiceSuperUser in ldquoWindows Users and Groupsrdquo in control panel This group will
be treated as roles in application
Step2 Add users to windows Group In this case user will be member of this group
httpdotnetdlrcom
Step 3 Implement Role based security in Service side
The principal in NET is any object that implements the IPrincipal interface defined in the
SystemSecurityPrincipal namespace
public interface IPrincipal
IIdentity Identity
get
bool IsInRole(string role)
httpdotnetdlrcom
The IsInRole() method simply returns true if the identity associated with this principal is a
member of the specified role and false otherwise
Programmatic Implementation
public double GetMarketPrice(string symbol)
IPrincipal principal = ThreadCurrentPrincipal
if (principalIsInRole(MarketServiceSuperUser))
throw new AuthenticationException(Access Denied)
GetServiceContext()
TODO Fetch market price
sending hardcode value
if (symbolEndsWith(NSE))
throw new FaultException(
new ValidationException ValidationError = Symbol is not
valid
new FaultReason(Validation Failed))
send real price
return 344d
Principal object contains callerrsquos identity and can be check if role is valid for this user If Client
user is not member of windows group then IsInRole will return false
Declarative Implementation
Above behavior can also be implemented by PrincipalPermission attribute which take
SecurityAction enum and role name
[PrincipalPermission(SecurityActionDemand Role =
MarketServiceSuperUser)]
public double GetMarketPrice(string symbol)
sending hardcode value
if (symbolEndsWith(NSE))
throw new FaultException(new
httpdotnetdlrcom ValidationException ValidationError = Symbol is not valid
new FaultReason(Validation Failed))
send real price
return 344d
Step 4 Run Client Application
Run with User which are not member of MarketServiceSuperUser
static void Main(string[] args)
try
ConsoleWriteLine(Connecting to Service)
var proxy = new ServiceClient(new NetTcpBinding()
new EndpointAddress(nettcplocalhost8000MarketService))
proxyClientCredentialsWindowsClientCredentialDomain =
domainuser
proxyClientCredentialsWindowsClientCredentialUserName =
MarketServiceUser
proxyClientCredentialsWindowsClientCredentialPassword = 123456
ConsoleWriteLine(MSFT Price0
proxyGetMarketPrice(MSFTNSE))
ConsoleWriteLine(Getting price for Google)
double price = proxyGetMarketPrice(GOOGNASDAQ)
catch (FaultException ex)
ConsoleWriteLine(Service Error + exDetailValidationError)
catch (Exception ex)
ConsoleWriteLine(Service Error + exMessage)
ConsoleReadLine()
In above code client will call with user which is member of MarketServiceSuperUser service
will authorize to access resources in service
Run with User which are not member of MarketServiceSuperUser
proxyClientCredentialsWindowsClientCredentialDomain = domainuser
proxyClientCredentialsWindowsClientCredentialUserName =
MarketServiceInvalidUser
proxyClientCredentialsWindowsClientCredentialPassword = 123456
In this case SecurityAccessDeniedException will generate with ldquoAccess Deniedrdquo message
httpdotnetdlrcom
I hope this post brief you about implementation of role base security using windows group
httpdotnetdlrcom
Step 3 Implement Role based security in Service side
The principal in NET is any object that implements the IPrincipal interface defined in the
SystemSecurityPrincipal namespace
public interface IPrincipal
IIdentity Identity
get
bool IsInRole(string role)
httpdotnetdlrcom
The IsInRole() method simply returns true if the identity associated with this principal is a
member of the specified role and false otherwise
Programmatic Implementation
public double GetMarketPrice(string symbol)
IPrincipal principal = ThreadCurrentPrincipal
if (principalIsInRole(MarketServiceSuperUser))
throw new AuthenticationException(Access Denied)
GetServiceContext()
TODO Fetch market price
sending hardcode value
if (symbolEndsWith(NSE))
throw new FaultException(
new ValidationException ValidationError = Symbol is not
valid
new FaultReason(Validation Failed))
send real price
return 344d
Principal object contains callerrsquos identity and can be check if role is valid for this user If Client
user is not member of windows group then IsInRole will return false
Declarative Implementation
Above behavior can also be implemented by PrincipalPermission attribute which take
SecurityAction enum and role name
[PrincipalPermission(SecurityActionDemand Role =
MarketServiceSuperUser)]
public double GetMarketPrice(string symbol)
sending hardcode value
if (symbolEndsWith(NSE))
throw new FaultException(new
httpdotnetdlrcom ValidationException ValidationError = Symbol is not valid
new FaultReason(Validation Failed))
send real price
return 344d
Step 4 Run Client Application
Run with User which are not member of MarketServiceSuperUser
static void Main(string[] args)
try
ConsoleWriteLine(Connecting to Service)
var proxy = new ServiceClient(new NetTcpBinding()
new EndpointAddress(nettcplocalhost8000MarketService))
proxyClientCredentialsWindowsClientCredentialDomain =
domainuser
proxyClientCredentialsWindowsClientCredentialUserName =
MarketServiceUser
proxyClientCredentialsWindowsClientCredentialPassword = 123456
ConsoleWriteLine(MSFT Price0
proxyGetMarketPrice(MSFTNSE))
ConsoleWriteLine(Getting price for Google)
double price = proxyGetMarketPrice(GOOGNASDAQ)
catch (FaultException ex)
ConsoleWriteLine(Service Error + exDetailValidationError)
catch (Exception ex)
ConsoleWriteLine(Service Error + exMessage)
ConsoleReadLine()
In above code client will call with user which is member of MarketServiceSuperUser service
will authorize to access resources in service
Run with User which are not member of MarketServiceSuperUser
proxyClientCredentialsWindowsClientCredentialDomain = domainuser
proxyClientCredentialsWindowsClientCredentialUserName =
MarketServiceInvalidUser
proxyClientCredentialsWindowsClientCredentialPassword = 123456
In this case SecurityAccessDeniedException will generate with ldquoAccess Deniedrdquo message
httpdotnetdlrcom
I hope this post brief you about implementation of role base security using windows group
httpdotnetdlrcom
The IsInRole() method simply returns true if the identity associated with this principal is a
member of the specified role and false otherwise
Programmatic Implementation
public double GetMarketPrice(string symbol)
IPrincipal principal = ThreadCurrentPrincipal
if (principalIsInRole(MarketServiceSuperUser))
throw new AuthenticationException(Access Denied)
GetServiceContext()
TODO Fetch market price
sending hardcode value
if (symbolEndsWith(NSE))
throw new FaultException(
new ValidationException ValidationError = Symbol is not
valid
new FaultReason(Validation Failed))
send real price
return 344d
Principal object contains callerrsquos identity and can be check if role is valid for this user If Client
user is not member of windows group then IsInRole will return false
Declarative Implementation
Above behavior can also be implemented by PrincipalPermission attribute which take
SecurityAction enum and role name
[PrincipalPermission(SecurityActionDemand Role =
MarketServiceSuperUser)]
public double GetMarketPrice(string symbol)
sending hardcode value
if (symbolEndsWith(NSE))
throw new FaultException(new
httpdotnetdlrcom ValidationException ValidationError = Symbol is not valid
new FaultReason(Validation Failed))
send real price
return 344d
Step 4 Run Client Application
Run with User which are not member of MarketServiceSuperUser
static void Main(string[] args)
try
ConsoleWriteLine(Connecting to Service)
var proxy = new ServiceClient(new NetTcpBinding()
new EndpointAddress(nettcplocalhost8000MarketService))
proxyClientCredentialsWindowsClientCredentialDomain =
domainuser
proxyClientCredentialsWindowsClientCredentialUserName =
MarketServiceUser
proxyClientCredentialsWindowsClientCredentialPassword = 123456
ConsoleWriteLine(MSFT Price0
proxyGetMarketPrice(MSFTNSE))
ConsoleWriteLine(Getting price for Google)
double price = proxyGetMarketPrice(GOOGNASDAQ)
catch (FaultException ex)
ConsoleWriteLine(Service Error + exDetailValidationError)
catch (Exception ex)
ConsoleWriteLine(Service Error + exMessage)
ConsoleReadLine()
In above code client will call with user which is member of MarketServiceSuperUser service
will authorize to access resources in service
Run with User which are not member of MarketServiceSuperUser
proxyClientCredentialsWindowsClientCredentialDomain = domainuser
proxyClientCredentialsWindowsClientCredentialUserName =
MarketServiceInvalidUser
proxyClientCredentialsWindowsClientCredentialPassword = 123456
In this case SecurityAccessDeniedException will generate with ldquoAccess Deniedrdquo message
httpdotnetdlrcom
I hope this post brief you about implementation of role base security using windows group
httpdotnetdlrcom ValidationException ValidationError = Symbol is not valid
new FaultReason(Validation Failed))
send real price
return 344d
Step 4 Run Client Application
Run with User which are not member of MarketServiceSuperUser
static void Main(string[] args)
try
ConsoleWriteLine(Connecting to Service)
var proxy = new ServiceClient(new NetTcpBinding()
new EndpointAddress(nettcplocalhost8000MarketService))
proxyClientCredentialsWindowsClientCredentialDomain =
domainuser
proxyClientCredentialsWindowsClientCredentialUserName =
MarketServiceUser
proxyClientCredentialsWindowsClientCredentialPassword = 123456
ConsoleWriteLine(MSFT Price0
proxyGetMarketPrice(MSFTNSE))
ConsoleWriteLine(Getting price for Google)
double price = proxyGetMarketPrice(GOOGNASDAQ)
catch (FaultException ex)
ConsoleWriteLine(Service Error + exDetailValidationError)
catch (Exception ex)
ConsoleWriteLine(Service Error + exMessage)
ConsoleReadLine()
In above code client will call with user which is member of MarketServiceSuperUser service
will authorize to access resources in service
Run with User which are not member of MarketServiceSuperUser
proxyClientCredentialsWindowsClientCredentialDomain = domainuser
proxyClientCredentialsWindowsClientCredentialUserName =
MarketServiceInvalidUser
proxyClientCredentialsWindowsClientCredentialPassword = 123456
In this case SecurityAccessDeniedException will generate with ldquoAccess Deniedrdquo message
httpdotnetdlrcom
I hope this post brief you about implementation of role base security using windows group
httpdotnetdlrcom
I hope this post brief you about implementation of role base security using windows group