WCF PrincipalPermission Authorization

2.6k views Asked by At

I'm trying to setup role authorization on each wcf web method.

Maybe I'm doing something wrong but I just can't get the authorization to take place.

I have a UserNamePasswordValidator that authorizes the user access to the service.

An authorization policy then gets the user roles and sets the principal against the evalutaionContext. I have tried this with GenericPrincipal and my own CustomPrincipal.

However the web methods are always executed no matter the role.

AuthorizationPolicy

class AuthorizationPolicy : IAuthorizationPolicy {
        public bool Evaluate(EvaluationContext evaluationContext, ref object state) {         

            IIdentity client = GetClientIdentity(evaluationContext);

            string[] roles = new string[1];
            roles[0] = GetRoles(client);
            GenericPrincipal newPrincipal = new GenericPrincipal(client, roles);
            //CustomPrincipal newPrincipal = new CustomPrincipal(client, roles);
            evaluationContext.Properties["Principal"] = newPrincipal;                
            return true;
        }

        private IIdentity GetClientIdentity(EvaluationContext evaluationContext) {
            object obj;
            if (!evaluationContext.Properties.TryGetValue("Identities", out obj))
                throw new Exception("No Identity found");

            IList<IIdentity> identities = obj as IList<IIdentity>;
            if (identities == null || identities.Count <= 0)
                throw new Exception("No Identity found");

            return identities[0];
        }

How does PrincipalPermission link into the principal?

[OperationContract]
        [WebInvoke(Method = "GET",
                    ResponseFormat = WebMessageFormat.Json,
                    UriTemplate = "/GetResults")]
        [PrincipalPermission(SecurityAction.Demand, Role = "User")]
        int? GetResults();

My CustomPrincipal has an IsInRole method, should I be doing something else to ensure the PrincipalPermission verifies the role?

1

There are 1 answers

0
JIbber4568 On BEST ANSWER

Ok, found my problem with this. Bit stupid but I had the PrincipalPermssions in place on the interface whereas they need to be in place against the method.