Windows Communication Foundation Role Service Overview

The Windows Communication Foundation (WCF) role service enables you to access a user's roles from any application that can send and consume a SOAP message. This can include applications that do not use the .NET Framework. Users of these different applications therefore can have the same roles in each application. You typically check a user's roles to determine which actions the user has permission to perform.

This topic contains the following sections:

  • Scenarios

  • Background

  • Code Examples

  • Class Reference

Scenarios

You access the role service as a WCF service when you have to determine a user's application roles from an application that is not an ASP.NET Web application. This can include a console application, a Windows Forms application, or an application that is not developed with the .NET Framework. The application must be able to send and consume a SOAP message.

Back to top

Background

The role service provides only a subset of features that are available through ASP.NET role management. The role service enables you to retrieve the roles for a user or to check if the user belongs to particular role. For information about other role management features, see Managing Authorization Using Roles.

You can retrieve roles only for the authenticated user who is associated with the current session. You can authenticate the user through any of the authentication providers supported by ASP.NET. This includes using forms authentication through a WCF service. For more information about the authentication service, see Windows Communication Foundation Authentication Service Overview.

Security and the Role Service

You can use the WCF role service as a way to manage the user interface based on the user's authorization settings. However, do not rely only on the role service for critical security checks. Always check the user's permissions in server code before you allow the user to perform a critical function. A malicious user can change the information returned by the role service to access components that the user does not have permission to access. For example, you can use role service to determine whether a user has permission to see a form for submitting a new order. However, when the new order is submitted, you must check again that the user belongs to a role that is authorized to submit an order.

Note

Never display sensitive data based on the results of a call to the role service.

Configuring the Role Service

To enable applications to access roles information through a WCF service, you must configure the WCF role service on a Web server. For more information, see How to: Enable the WCF Role Service.

Back to top

Code Examples

Walkthrough: Using ASP.NET Application Services

How to: Enable the WCF Role Service

Back to top

Class Reference

The following table lists the key server classes for the WCF role application service.

  • RoleService
    Provides access to role information through a Web service.

Back to top

See Also

Tasks

Walkthrough: Using ASP.NET Application Services

Reference

RoleService