A proof of concept application to show it's possible to protect IIS hosted WCF services from unauthorized use when hosted in a public facing web site on the DASP servers. The sample uses ASP.NET AJAX application services authentication over SSL and a custom ServiceAuthorizationManager descendant to prevent unauthorized access to a WCF service. The project write up is here including links to the readme and full source code: http://www.jjssoftware.co.uk/securedwcf.aspx See and try out the working application here: https://www.crystalcms.co.uk/silverlight/securewcf/default.aspx
A few more details: This is a Silverlight application taking advantage of ASP.NET AJAX application services to enable authentication via a SQL Server 2008 membership database. The application is designed to run over SSL to enable authentication and subsequent communication to remain secure. The WCF hosting environment for the application is configured to run in ASP.NET compatibility mode so the run-time has access to HttpContext items e.g. HttpContext.Current.User.Identity.IsAuthenticated WCF service activation is completely denied for users that are not authenticated and is enabled for users that are authenticated. The sample doesn't use roles but could easily be extended to enable individual WCF service methods to be protected at role level with the [PrincipalPermission] attribute.
...Additionally the way you're doing the CMS login and Bookmarks on the top right is brilliant. Well done mate. ;-)
Thanks Mark. The bookmark/sharing widget is the excellent http://www.addthis.com/ widget embedded into my CMS application so I can't take credit for that..but I'll take full credit for the rest of the app
Thank you for posting this. I have been struggling with how to successfully call a WCF service from the client and solved it after studying your example. Looking forward to studying and understanding your example in more depth. Thanks again. Randy
There's also another way: use the RIA Silverlight 4 Toolkit Joe's solution is great, and hats off to him for figuring this out, but I have to point out in the interest of efficiency that if you plan on doing database operations via Linq and other such business methods, there's a 'built in' way of doing this, found in the information below. The catch is you have to be using a certain toolkit found only in Visual Studio 2010 for Silverlight. So, if you're going to go into VS 2010 (and I will soon), I would prefer, for business apps, to use the 'built in' way rather than Joe's excellent solution. Not sure if Joe's solution will work in VS2008, which is what I'm using now, however. PJ from another thread... Yes, and though I like your solution very much (though I could not get it to compile--still, I like the source code), in Visual Studio 2010, which I will be migrating to soon, there's an WCF 'built-in' authorization technique found in the RIA business toolkit described in this tutorial here: http://msdn.microsoft.com/en-us/library/ff713719(VS.91).aspx Also Tim Heuer has a video on this toolkit: " http://go.microsoft.com/fwlink/?LinkId=166921 Basically it looks very similar to what you can do in VS2008, but with one big difference: authentication is "built in", notice the attribute you can decorate your web method with called: "[RequiresAuthentication()] ". Then only logged in users can access your web method thus decorated. This solves my problem (once I migrate to VS 2010).
