Programming WCF Services : Security - Intranet Application Scenario (part 7) - Identity Management, Callbacks

10/15/2013 7:47:12 PM

8. Identity Management

In the intranet scenario, after successful authentication, WCF will attach to the operation thread a principal identity of the type WindowsIdentity, which will have the value of its Name property set to the username (or Windows account) provided by the client. Since valid credentials are provided, the security call context’s two identities—the primary identity and the Windows identity—will be set to the same identity as the principal identity. All three identities will be considered authenticated. The identities and their values are shown in Table 1.

Table 1. Identity management in the intranet scenario
Thread principalWindowsIdentityUsernameYes
Security context primaryWindowsIdentityUsernameYes
Security context WindowsWindowsIdentityUsernameYes

Windows Roles Localization

If your application is deployed in international markets and you use Windows groups as roles, it’s likely the role names will not match. In the intranet scenario, the principal object attached to the thread accessing the service is of the type WindowsPrincipal:

public class WindowsPrincipal : IPrincipal
public WindowsPrincipal(WindowsIdentity ntIdentity);

//IPrincipal implementation
public virtual IIdentity Identity
public virtual bool IsInRole(string role);

//Additional methods:
public virtual bool IsInRole(int rid);
public virtual bool IsInRole(WindowsBuiltInRole role);

WindowsPrincipal provides two additional IsInRole() methods that are intended to ease the task of localizing Windows NT groups. You can provide IsInRole() with an enum of the type WindowsBuiltInRole matching the built-in NT roles, such as WindowsBuiltInRole.Administrator or WindowsBuiltInRole.User. The other version of IsInRole() accepts an integer indexing specific roles. For example, a role index of 512 maps to the Administrators group. The MSDN Library contains a list of both the predefined indexes and ways to provide your own aliases and indexes to user groups.

Note that while the host processes retain their designated identities, the principal identity will be that of the caller. I call this behavior soft impersonation. When it is used in conjunction with role-based security, it largely negates the need to ever perform real impersonation and replace the security token with that of the client.

9. Callbacks

When it comes to security on the intranet, there are several key differences between normal service operations and callbacks. First, with a callback contract you can only assign a protection level at the operation level, not the callback contract level. For example, this protection-level constraint will be ignored:

[ServiceContract(CallbackContract = typeof(IMyContractCallback))]
interface IMyContract

//Demand for protection level will be ignored
[ServiceContract(ProtectionLevel = ProtectionLevel.EncryptAndSign)]
interface IMyContractCallback

Only the service contract designating the callback contract can set a contract-level protection constraint. WCF deliberately ignores the service contract attribute on the callback contract  to avoid a potential conflict between two contract attributes that apply to the same channel.

You can take advantage of operation-level demand for a protection level as follows:

[ServiceContract(CallbackContract = typeof(IMyContractCallback))]
interface IMyContract

interface IMyContractCallback
[OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign)]
void OnCallback();

All calls into the callback object come in with an unauthenticated principal, even if Windows security was used across the board to invoke the service. As a result, the principal identity will be set to a Windows identity with a blank identity, which will preclude authorization and role-based security.

While the callback does have a security call context, the Windows identity will be set to a WindowsIdentity instance with a blank identity, which will preclude impersonation. The only meaningful information will be in the primary identity, which will be set to the service host’s process identity and machine name:

class MyClient : IMyContractCallback
public void OnCallback()
IPrincipal principal = Thread.CurrentPrincipal;
Debug.Assert(principal.Identity.IsAuthenticated == false);

ServiceSecurityContext context = ServiceSecurityContext.Current;
Debug.Assert(context.PrimaryIdentity.Name == "MyHost/localhost");

Debug.Assert(context.IsAnonymous == false);

I recommend avoiding any sensitive work in the callback, since you cannot easily use role-based security.

Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8