Technology Corner

Home » DotNet » Implement Role based security using Windows Groups in WCF

Implement Role based security using Windows Groups in WCF

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 80 other followers

Twitter updates


RSS InfoQ Feeds

  • First Pedestrian Killed by Self-Driving Car
    A pedestrian was killed on Sunday evening in Tempe, Arizona by a self-driving car operated by Uber, the BBC reports. The firm confirmed that the vehicle was traveling in autonomous mode with a safety driver, the only vehicle occupant, behind the wheel during the crash. By Roland Meertens
  • Microsoft Embeds Artificial Intelligence in Windows 10 Update
    The next Windows 10 update opens the way for the integration of artificial intelligence functionalities within Windows applications. Developers will be able to integrate pre-trained deep-learning models converted to the ONNX framework in their Windows applications. By Alexis Perrier
  • Ankyra Presents “Escape”, a Release Automation Tool that Manages Platforms as Logical Components
    Over the last ten years there has been increased focus on infrastructure as code (IaC) tooling, primarily driven by the rise of Infrastructure as a Service (IaaS) and API-driven infrastructure. InfoQ discussed the challenges of homogenising this tooling with Bart Spaans, founder of Ankyra, who is an expert in the domain of infrastructure and release engineer […]
  • Article: Servlet and Reactive Stacks in Spring Framework 5
    Spring Framework 5 supports both traditional servlet-based and reactive web stacks, in the same server application, reflecting a major shift towards asynchronous, non-blocking concurrency in applications. In this article Spring committer Rossen Stoyanchev explores and contrasts both stacks, and explains the range of available choices, and provides guidance f […]
  • Presentation: Elm and Game Development, a Perfect Fit
    Paulo Diniz discusses the Elm architecture, how to use it as functional reactive programming for web game development. By Paulo Diniz
  • Google Releases “Skaffold”, a Tool That Facilitates Continuous Development with Kubernetes
    Google has released Skaffold, an open source command line tool that facilitates continuous development for Kubernetes applications. Skaffold is entering an increasingly crowded space of Kubernetes development automation tooling, including Azure’s Draft, Datawire’s Forge and Weavework’s Flux. By Daniel Bryant
  • Q&A with Marisa Fagen on Security Championship
    Security lead Marisa Fagen recently spoke at QConLondon 2018 about upskilling and elevating engineering team members into the role of Security Champions. We catch up with Fagen and report on her efforts to address contention caused by a scarcity of security professionals. By Rafiq Gemmail
  • GitHub Licensed Aims to Make it Easier to Comply with OSS Licenses
    GitHub Licensed is an open-source tool that aims to simplify the chore of ensuring license soundness and documentation for all dependencies of a GitHub project. By Sergio De Simone
  • Sauce Labs Adds Analytics and Extended Debugging to Continuous Testing Cloud
    At their recent user conference SauceCon, Sauce Labs introduced new capabilities for its continuous testing cloud including test analytics, featuring a dashboard that analyses test results and exposes common failures by browser and operating system, including Android and iOS. By Helen Beal
  • JavaFX and the Future of Java Client Technologies
    Oracle will remove JavaFX, Applets and Java Web Start from the JDK after Java SE 8. Swing and AWT will remain. By Tim Hodkinson

This is third blog on security concept in WCF. You can read previous posts:

Something about Security in WCF- I

Implement windows authentication and security in WCF Service

Today I’ll describe how we can implement role based authorization using Windows Group. In this case you will not need to maintain any information in database because roles are managing through windows group.

Step1: Create Windows Group

MarketServiceSuperUser in “Windows Users and Groups” in control panel. This group will be treated as roles in application.


Step2: Add users to windows Group. In this case user will be member of this group.




Step 3: Implement Role based security in Service side.

The principal in .NET is any object that implements the IPrincipal interface, defined in the System.Security.Principal namespace:

public interface IPrincipal
IIdentity Identity


bool IsInRole(string role);


The IsInRole() method simply returns true if the identity associated with this principal is a member of the specified role, and false otherwise.

Programmatic Implementation

 public double GetMarketPrice(string symbol)

            IPrincipal principal = Thread.CurrentPrincipal;
            if (!principal.IsInRole("MarketServiceSuperUser"))
                throw new AuthenticationException("Access Denied");

            //TODO: Fetch market price
            //sending hardcode value
            if (!symbol.EndsWith(".NSE"))
                throw new FaultException(
		new ValidationException { ValidationError = "Symbol is not valid" }, 
		new FaultReason("Validation Failed"));
           //send real price
            return 34.4d;


Principal object contains caller’s identity and can be check if role is valid for this user. If Client user is not member of windows group then IsInRole will return false.

Declarative Implementation

Above behavior can also be implemented by PrincipalPermission attribute which take SecurityAction enum and role name.

      [PrincipalPermission(SecurityAction.Demand, Role = "MarketServiceSuperUser")]
       public double GetMarketPrice(string symbol)

            //sending hardcode value
            if (!symbol.EndsWith(".NSE"))
                throw new FaultException(new 
		ValidationException { ValidationError = "Symbol is not valid" },
		new FaultReason("Validation Failed"));
           //send real price
            return 34.4d;

Step 4: Run Client Application

  • Run with User which are not member of MarketServiceSuperUser.
static void Main(string[] args)
       Console.WriteLine("Connecting to Service..");
        var proxy = new ServiceClient(new NetTcpBinding(), 
	new EndpointAddress("net.tcp://localhost:8000/MarketService"));
        proxy.ClientCredentials.Windows.ClientCredential.Domain = "domainuser";
        proxy.ClientCredentials.Windows.ClientCredential.UserName = "MarketServiceUser";
       proxy.ClientCredentials.Windows.ClientCredential.Password = "123456";
        Console.WriteLine("MSFT Price:{0}", proxy.GetMarketPrice("MSFT.NSE"));
        Console.WriteLine("Getting price for Google");
        double price = proxy.GetMarketPrice("GOOG.NASDAQ");
       catch (FaultException ex)
           Console.WriteLine("Service Error:" + ex.Detail.ValidationError);
        catch (Exception ex)
           Console.WriteLine("Service Error:" + ex.Message);

In above code client will call with user which is member of MarketServiceSuperUser, service will authorize to access resources in service. 

  • Run with User which are not member of MarketServiceSuperUser.
proxy.ClientCredentials.Windows.ClientCredential.Domain = "domainuser"; 
proxy.ClientCredentials.Windows.ClientCredential.UserName = "MarketServiceInvalidUser";
proxy.ClientCredentials.Windows.ClientCredential.Password = "123456";

In this case SecurityAccessDeniedException  will generate with “Access Denied” message.


I hope this post brief you about implementation of role base security using windows group.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blogs I Follow

%d bloggers like this: