I'm trying to setup role authorization on each wcf web method.
Maybe I'm doing something wrong but I just can't get the authorization to take place.
I have a UserNamePasswordValidator that authorizes the user access to the service.
An authorization policy then gets the user roles and sets the principal against the evalutaionContext. I have tried this with GenericPrincipal and my own CustomPrincipal.
However the web methods are always executed no matter the role.
AuthorizationPolicy
class AuthorizationPolicy : IAuthorizationPolicy {
public bool Evaluate(EvaluationContext evaluationContext, ref object state) {
IIdentity client = GetClientIdentity(evaluationContext);
string[] roles = new string[1];
roles[0] = GetRoles(client);
GenericPrincipal newPrincipal = new GenericPrincipal(client, roles);
//CustomPrincipal newPrincipal = new CustomPrincipal(client, roles);
evaluationContext.Properties["Principal"] = newPrincipal;
return true;
}
private IIdentity GetClientIdentity(EvaluationContext evaluationContext) {
object obj;
if (!evaluationContext.Properties.TryGetValue("Identities", out obj))
throw new Exception("No Identity found");
IList<IIdentity> identities = obj as IList<IIdentity>;
if (identities == null || identities.Count <= 0)
throw new Exception("No Identity found");
return identities[0];
}
How does PrincipalPermission link into the principal?
[OperationContract]
[WebInvoke(Method = "GET",
ResponseFormat = WebMessageFormat.Json,
UriTemplate = "/GetResults")]
[PrincipalPermission(SecurityAction.Demand, Role = "User")]
int? GetResults();
My CustomPrincipal has an IsInRole method, should I be doing something else to ensure the PrincipalPermission verifies the role?
Ok, found my problem with this. Bit stupid but I had the PrincipalPermssions in place on the interface whereas they need to be in place against the method.