Technology Corner

Home » DotNet » Implement Role based security using Windows Groups in WCF

Implement Role based security using Windows Groups in WCF

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 80 other followers

Twitter updates

Archives

RSS InfoQ Feeds

  • How Google Develops New Managers
    Alex Langshur, host of Google Partners Podcasts, has organized the podcast Google HR secrets: identifying & developing great managers, interviewing Sarah Calderon, People Development at Google, on how Google selects, trains, and develops their managers. By Abel Avram
  • Presentation: Cognitive Services, Next Step in Creating Our Robot Overlords
    Harold Pulcher discusses Cognitive Services, how to get started using them, and how to incorporate speech, image, and facial recognition into an application. By Harold Pulcher
  • Presentation: Control Flow Integrity Using Hardware Counters
    Jamie Butler and Cody Pierce discuss a new system for early detection and prevention of unknown exploits. Their system uses Performance Monitoring Unit hardware to enforce coarse-grained Control Flow Integrity (CFI). They intend to prove that their approach is effective and suitable for practical use, while staying resistant to bypass. By Jamie Butler
  • JetBrains Launches GoLand Go IDE
    JetBrains has moved its Go IDE from its early access programme to market. Now branded as GoLand, the IDE extends the IntelliJ platform making its core functionality specific to Go. This follows suit with their other language-specific tools such as PyCharm for Python and RubyMine for Ruby. By Andrew Morgan
  • Panel on the Future of AI
    An SF QCon panel on the future of AI explored some issues facing machine learning today. The areas explored: critical issues facing AI right now, how has technology changed the way people are hired, how non-leading edge companies make the best use of current technologies, what the role of humans in relation to AI is, and exciting new breakthroughs on the imm […]
  • Microsoft Updates Cosmos DB with Cassandra Support and Provides Better Availability Guarantees
    Last month at Microsoft Connect 2017, Azure Cosmos DB received several new updates, including support for using the Cassandra NoSQL database API and increased guarantees for availability. With the Cassandra NoSQL database API, customers can run operations inside Cosmos DB on a data model. The availability guarantee moves from 99.99 percent to 99.999 percent. […]
  • Article: Approximate Computing on WSO2: Explaining Approximation Algorithms in an Applied Setting
    In this article, we describe an example real world application of API monitoring which gets benefit by using approximate stream processing. We developed the application on top of WSO2 Stream Processor as Siddhi extension. Siddhi is the complex event processing library which acts as the event processing engine of WSO2 Stream Processor. By Chamod Samarajeewa
  • Rust in Visual Studio and VS Code
    Daniel Griffen has released a preview version of a Rust language service for Visual Studio. This plugin requires Visual Studio 2017 Preview, an experimental release stream for testing new VS features. By Jonathan Allen
  • Article: Key Takeaway Points and Lessons Learned from QCon San Francisco 2017
    The eleventh annual QCon San Francisco was the biggest yet, bringing together over 1,800 team leads, architects, project managers, and engineering directors. By Abel Avram
  • Article: Q&A With Eberhard Wolff On the Book “A Practical Guide to Continuous Delivery”
    Eberhard Wolff speaks with InfoQ about his work "Continuous Delivery: A Practical Guide", where we detail some of the major concepts behind successful CD adoption and the ripple-effect it can have on developer productivity and quality of service. By Dylan Raithel

This is third blog on security concept in WCF. You can read previous posts:

Something about Security in WCF- I

Implement windows authentication and security in WCF Service

Today I’ll describe how we can implement role based authorization using Windows Group. In this case you will not need to maintain any information in database because roles are managing through windows group.

Step1: Create Windows Group

MarketServiceSuperUser in “Windows Users and Groups” in control panel. This group will be treated as roles in application.

image

Step2: Add users to windows Group. In this case user will be member of this group.

image

image

 

Step 3: Implement Role based security in Service side.

The principal in .NET is any object that implements the IPrincipal interface, defined in the System.Security.Principal namespace:

public interface IPrincipal
{
IIdentity Identity

{get;}

bool IsInRole(string role);

}

The IsInRole() method simply returns true if the identity associated with this principal is a member of the specified role, and false otherwise.

Programmatic Implementation

 public double GetMarketPrice(string symbol)

        {
            IPrincipal principal = Thread.CurrentPrincipal;
            if (!principal.IsInRole("MarketServiceSuperUser"))
                throw new AuthenticationException("Access Denied");

            GetServiceContext();
            //TODO: Fetch market price
            //sending hardcode value
            if (!symbol.EndsWith(".NSE"))
                throw new FaultException(
		new ValidationException { ValidationError = "Symbol is not valid" }, 
		new FaultReason("Validation Failed"));
           //send real price
            return 34.4d;
        }

image

Principal object contains caller’s identity and can be check if role is valid for this user. If Client user is not member of windows group then IsInRole will return false.

Declarative Implementation

Above behavior can also be implemented by PrincipalPermission attribute which take SecurityAction enum and role name.

      [PrincipalPermission(SecurityAction.Demand, Role = "MarketServiceSuperUser")]
       public double GetMarketPrice(string symbol)

        {
            //sending hardcode value
            if (!symbol.EndsWith(".NSE"))
                throw new FaultException(new 
		ValidationException { ValidationError = "Symbol is not valid" },
		new FaultReason("Validation Failed"));
           //send real price
            return 34.4d;
        }

Step 4: Run Client Application

  • Run with User which are not member of MarketServiceSuperUser.
   
static void Main(string[] args)
        {
       try
       {
       Console.WriteLine("Connecting to Service..");
        var proxy = new ServiceClient(new NetTcpBinding(), 
	new EndpointAddress("net.tcp://localhost:8000/MarketService"));
        proxy.ClientCredentials.Windows.ClientCredential.Domain = "domainuser";
        proxy.ClientCredentials.Windows.ClientCredential.UserName = "MarketServiceUser";
       proxy.ClientCredentials.Windows.ClientCredential.Password = "123456";
               
        Console.WriteLine("MSFT Price:{0}", proxy.GetMarketPrice("MSFT.NSE"));
        Console.WriteLine("Getting price for Google");
        double price = proxy.GetMarketPrice("GOOG.NASDAQ");
        }
           
       catch (FaultException ex)
        {
           Console.WriteLine("Service Error:" + ex.Detail.ValidationError);
        }
        catch (Exception ex)
         {
           Console.WriteLine("Service Error:" + ex.Message);
         }
        Console.ReadLine();
        }

In above code client will call with user which is member of MarketServiceSuperUser, service will authorize to access resources in service. 

  • Run with User which are not member of MarketServiceSuperUser.
proxy.ClientCredentials.Windows.ClientCredential.Domain = "domainuser"; 
proxy.ClientCredentials.Windows.ClientCredential.UserName = "MarketServiceInvalidUser";
proxy.ClientCredentials.Windows.ClientCredential.Password = "123456";

In this case SecurityAccessDeniedException  will generate with “Access Denied” message.

image

I hope this post brief you about implementation of role base security using windows group.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blogs I Follow

%d bloggers like this: