You can download the source code and see more details on this project here.
We will show you how to set up WCF Basic Authentication using the SQL Membership Provider provided by Microsoft.It is highly recommended that you walk through the explanations by looking at the source code as it will help you gain a more solid understanding. You can also run the application on your computer.
We will assume you already know how to setup WCF to run in https, since basic authentication without https would be meaningless because the user name and password would be passed as plain texts in the network.
We will show you:
- How to setup the database and the Web Site Administration Tool from the .net framework for managing the Users and Roles
- How to setup the WCF Basic Authentication under https and use SQL Memebership Provider to validate users and roles
You can also see how to make your service consumable by any technology and also set up error handling here.
- How to make your WCF service consumable by other other platforms such as Java by making the WSDL a single file
First let's see the application. You can manage the users and roles using the ASP .net Web Site Administration Tool from the .net framework:
You can see the WCF service running under https requiring the user to input username and password for Basic Authentication. The user name and the password would be from the users that you have added from the Administration Tool:
Setup Database for SQL Membership Provider
In the client application you can test the user name and password:
You can also test the user's access to a service based on the user's assigned roles from the Administration Tool:
First create the database for the SQL Membership Provider by opening the command prompt and navigate to the location of the .net framework library such as:C:\Windows\Microsoft.NET\Framework64\v4.0.30319
Then run the following command:
Aspnet_regsql -S dbServerName -A all -E
replace dbServerName with the name of your database server. Below is what you should see if you create the database on your computer:
And you should see the new database created:
Make sure to grant the account that you will use to run the wcf service to have permission to execute stored procedures in the aspnetdb database.
Setup User Administration Tool
ASP .net Web Site Administration Tool works by looking at the
web.config of the wcf service, where it has the connection string to the
database, and renders the information to the administrator:
The tool has to know the location of the wcf application in order to let you manage the users and roles of that application.
First let's setup the Admin Tool. Create an application pool to host the Administration Tool in IIS. We just call it AspNetWebSiteAdmin:
Then create an application in IIS (much like a virtual directory) that points to the location of the Administration Tool, which is at: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles
Click on the Advanced Settings of the newly created application, and set the Physical Path Credentials to the user account that will have access to the path of the Administration Tool (C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles):Be sure to add read and excute permission to the following folder location with the account that runs the Admin Tool:C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles
Open the file below using notepad:
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\web.configChange the <authorization> part of the xml to allow anonymous users (for your testing purposes):
</authorization>Now we need to set up the WCF application that has the web.config that points to the database: First place the wcf application in a folder, for example the path in our case was:C:\Prototype\DevLake.BasicAuth\DevLake.BasicAuth.ServiceMake sure to grant access to this folder for the account that runs the Admin Tool.You can now access the Admin Tool by opening a browser with the url that points to the location of the wcf service. In case you are wondering:
Below is the url format to open the Admin Tool:http://localhost/AspNetWebSiteAdmin/default.aspx?applicationPhysicalPath=[ApplicationPath]&applicationUrl=[ApplicationUrl]Make sure to substitute the [ApplicationPath] and the [ApplicationUrl] parameters. An example of the url would be:http://localhost/AspNetWebSiteAdmin/default.aspx?applicationPhysicalPath=C:\Prototype\DevLake.BasicAuth\DevLake.BasicAuth.Service&applicationUrl=/DevLake.BasicAuth.ServiceUsing the tool you can now add users, roles, and assign the users to the roles. Go ahead and add a user and a role using the Admin Tool under the Security tab.Setup the WCF Basic Authentication ApplicationThe wcf application provided runs under https. Be sure to see how to run wcf under https if you are not familiar with it.Set up the application in IIS to run under the name DevLake.BasicAuth.Service so that it can be found under the following url:https://localhost/DevLake.BasicAuth.Service/BasicAuthService.svcNow you can see the service under https after you have entered the user name and password that you have added using the admin tool:Basic Authentication
- The Tool can be opened only on the same computer that is running the Admin Tool. It will not run if you open the browser from another computer.
- The wcf application does not need to be running for you to use the Admin Tool. The tool just needs to access the web.config of the application.
Basic Authentication, the process in which the client is challenged with a user name and a password, is implemented using HttpModule. There are 2 parts in the process:
The logic is in the BasicAuthHttpModule class. The else part prompts the client for a user name and a password, and the if part processes the user name and the password:
- The first part is to ask the client for a user name and a password
- The second part is to process the user name and password entered by the user and determine the action to take
If the user is validated we assign the user's Principal to the application's context so that we can validate the user's roles. If the user entered the wrong user name and password we just give it a 401 access denied error.To make the BasicAuthHttpModule work in wcf we need to add the following configuration in the web.config of the service:
Included in the web.config are also the connection string to the database and the membershipProvider, and we set the authentication mode to None since we don't want the client to be redirected to login.aspx:
We define a service behavior to be used by the service, and in the service behavior we refer to the membershipProvider:Role Based Authorization
We can define a role so that only users in the role can access the service methods. We have the TestRoleAccess service method that only users in Role1 can access:
We then define an authorization policy where we assign the Principal and the Identity from the application context to the evaluation context in the CommonAuthorizationPolicy class:
The class is then referred in the web.config's service behavior:
In order to retrieve HttpContext.Current in the authorization policy we need to make the service ASP .Net Compatible, otherwise you would get a null for HttpContext.Current when you try to evaluate the authorization policy. To make the service ASP .Net compatible you just need to add the following attribute to the service:
And also set the aspNetCompatibilityEnabled property to true in the web.config:
Production Environment Implementation The code in this project is used to show you how things work. In a production environment you should separate the project into different parts as diagrammed below:
The ProxyService in the DMZ would host the HttpModule asking the user name and password from the client via https, it should then validate the user using the AuthenticationService inside the internal network via https. After the user is deemed valid the ProxyService can then contact the InternalService to service the user. This is so that:
Furthermore, Once the client is validated, an encrypted cookie should be sent to the client so that the ProxyService would not need to contact the AuthenticationService for subsequent requests.Also note that Basic Authentication via https is not the most secure means of providing a public web service. Anyone who has the user name, password, and the url will be able to access your service and you will not be able to tell if the client is who you think they really are. However it is the easiest forms of service for most businesses to consume since a lot of the businesses are not capable of doing a certificate exchange. We hope you will find this project helpful in building your wcf services.
- The database for the user accounts and the Administration Tool will not be in the DMZ
- You can reuse the AuthenticationService as you build more services in the future