Technology Corner

Home » DotNet » Implement Role based security using Windows Groups in WCF

Implement Role based security using Windows Groups in WCF

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 80 other followers

Twitter updates

Archives

RSS InfoQ Feeds

  • Article: Q&A on the Book "Humans vs Computers"
    Author Gojko Adzic has released a book, Humans vs Computers in which he tells stories about the impact of inflexible automation, edge cases and software bugs on the lives of real people. He explains the common mistakes built into the systems and provides advice on how to prevent these mistakes from being built into our systems in the first place. By Shane Ha […]
  • Q&A with Michael Coté on Devops Adoption and his Talk at DevOpsDays NZ
    Raf Gemmail talks to Pivotal’s Michael Coté about obstacles to DevOps adoption and his forthcoming talk at DevOpsDays NZ 2017 By Rafiq Gemmail
  • TensorFlow Serving 1.0 Release Detailed at Google I/O
    Google's Noah Fiedel details new programming model for TensorFlow Serving in a stable 1.0 release. Subject matter addresses common challenges with portability, servablility , and reproducibility improvements. By Dylan Raithel
  • First NetBeans Code Drop Lands at Apache
    Oracle has released the first of three NetBeans code drops to the Apache Incubator. By Matt Raible
  • Article: The Top 10 Adages in Continuous Deployment
    On the basis of discussions at the Continuous Deployment Summit, researchers derived 10 adages about continuous-deployment practices. These adages represent a working set of approaches and beliefs that guide current practice and establish a tangible target for empirical validation. By Chris Parnin
  • Podcast: Joshua Kerievsky and Heidi Helfand on High Performance via Psychological Safety
    In this podcast Shane Hastie, Lead Editor for Culture & Methods, spoke to Joshua Kerievsky, CEO of Industrial Logic, and Heidi Helfand, Director of Engineering Excellence at Procore Technologies and author of the book Dynamic Reteaming, about their talk High Performance via Psychological Safety. By Joshua Kerievsky
  • Spotify and Google Release Forseti GCP Security Tools
    Google has opened up Forseti Security, a set open source tools for GCP security, to all GCP users. The project is the result of a collaborative effort from both Spotify and Google, combining what was originally separate work together into a single toolkit. It aims to automate security processes for developers in order for them to develop more freely. By Andr […]
  • Article: Q&A on the Book SAFe Distilled
    The book SAFe Distilled breaks down the complexity of the framework into easily understood explanations and actionable guidance. It’s a resource for acquiring a deep understanding of the Scaled Agile Framework, and how to implement it successfully. By Ben Linders
  • String Interpolation in Entity Framework Raises Concerns
    One of the new features in Entity Framework Core 2 is the ability to automatically convert interpolated strings into parameterized SQL. Though designed to avoid problems with poorly written SQL, it is feared that it may actually lead to more SQL injection attacks. By Jonathan Allen
  • Podcast: Twitter's Yao Yue on Latency, Performance Monitoring, & Caching at Scale
    Yao Yue spent the majority of her career working on caching systems at Twitter. She created a performance team that deals with edge performance outliers often exposed by the enormous scale of Twitter. In this podcast, she discusses standing up the performance team, thoughts on instrumenting applications, and interesting performance issues (and strategies for […]

This is third blog on security concept in WCF. You can read previous posts:

Something about Security in WCF- I

Implement windows authentication and security in WCF Service

Today I’ll describe how we can implement role based authorization using Windows Group. In this case you will not need to maintain any information in database because roles are managing through windows group.

Step1: Create Windows Group

MarketServiceSuperUser in “Windows Users and Groups” in control panel. This group will be treated as roles in application.

image

Step2: Add users to windows Group. In this case user will be member of this group.

image

image

 

Step 3: Implement Role based security in Service side.

The principal in .NET is any object that implements the IPrincipal interface, defined in the System.Security.Principal namespace:

public interface IPrincipal
{
IIdentity Identity

{get;}

bool IsInRole(string role);

}

The IsInRole() method simply returns true if the identity associated with this principal is a member of the specified role, and false otherwise.

Programmatic Implementation

 public double GetMarketPrice(string symbol)

        {
            IPrincipal principal = Thread.CurrentPrincipal;
            if (!principal.IsInRole("MarketServiceSuperUser"))
                throw new AuthenticationException("Access Denied");

            GetServiceContext();
            //TODO: Fetch market price
            //sending hardcode value
            if (!symbol.EndsWith(".NSE"))
                throw new FaultException(
		new ValidationException { ValidationError = "Symbol is not valid" }, 
		new FaultReason("Validation Failed"));
           //send real price
            return 34.4d;
        }

image

Principal object contains caller’s identity and can be check if role is valid for this user. If Client user is not member of windows group then IsInRole will return false.

Declarative Implementation

Above behavior can also be implemented by PrincipalPermission attribute which take SecurityAction enum and role name.

      [PrincipalPermission(SecurityAction.Demand, Role = "MarketServiceSuperUser")]
       public double GetMarketPrice(string symbol)

        {
            //sending hardcode value
            if (!symbol.EndsWith(".NSE"))
                throw new FaultException(new 
		ValidationException { ValidationError = "Symbol is not valid" },
		new FaultReason("Validation Failed"));
           //send real price
            return 34.4d;
        }

Step 4: Run Client Application

  • Run with User which are not member of MarketServiceSuperUser.
   
static void Main(string[] args)
        {
       try
       {
       Console.WriteLine("Connecting to Service..");
        var proxy = new ServiceClient(new NetTcpBinding(), 
	new EndpointAddress("net.tcp://localhost:8000/MarketService"));
        proxy.ClientCredentials.Windows.ClientCredential.Domain = "domainuser";
        proxy.ClientCredentials.Windows.ClientCredential.UserName = "MarketServiceUser";
       proxy.ClientCredentials.Windows.ClientCredential.Password = "123456";
               
        Console.WriteLine("MSFT Price:{0}", proxy.GetMarketPrice("MSFT.NSE"));
        Console.WriteLine("Getting price for Google");
        double price = proxy.GetMarketPrice("GOOG.NASDAQ");
        }
           
       catch (FaultException ex)
        {
           Console.WriteLine("Service Error:" + ex.Detail.ValidationError);
        }
        catch (Exception ex)
         {
           Console.WriteLine("Service Error:" + ex.Message);
         }
        Console.ReadLine();
        }

In above code client will call with user which is member of MarketServiceSuperUser, service will authorize to access resources in service. 

  • Run with User which are not member of MarketServiceSuperUser.
proxy.ClientCredentials.Windows.ClientCredential.Domain = "domainuser"; 
proxy.ClientCredentials.Windows.ClientCredential.UserName = "MarketServiceInvalidUser";
proxy.ClientCredentials.Windows.ClientCredential.Password = "123456";

In this case SecurityAccessDeniedException  will generate with “Access Denied” message.

image

I hope this post brief you about implementation of role base security using windows group.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blogs I Follow

%d bloggers like this: