Authorization
Authorization is concerned with what
the caller is allowed to do: typically, which operations the client is
allowed to invoke on the service. Authorizing of the caller is done
under the assumption that the caller is indeed who the caller claims to
be—in other words, authorization is meaningless without authentication.
For authorization, the service typically relies on some kind of
credentials store, where callers are mapped to logical roles. When
authorizing an operation, the operation declares or explicitly demands
that only certain roles can access it, and the service needs to look up
the caller’s role or roles from the store and verify that the caller is
a member of the requested roles. Out of the box, WCF supports two
credentials stores: the service can use Windows groups (and accounts)
for authorization, or it can use an ASP.NET provider (such as the SQL
Server provider) to store user accounts and roles. WCF also supports
custom role repositories, but I have found that the easiest option by
far for implementing a custom store is to implement a custom ASP.NET
provider. This chapter will address
the ASP.NET
providers at length
later.
Note
WCF offers an elaborate and extensible infrastructure for authenticating and authorizing the caller based on a set of claims contained in the message. However, discussion of this mechanism is beyond the scope of this book.
Get Programming WCF Services, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.