WCF Authorization with Custom Principal
Hi, I am Syam Pinnaka, Sr. SDE in InfoSec tools team.
In AuthZ component of CISF, we have a requirement to perform authorization checks in a WCF service. Since CISF AuthZ module has a custom implementation of IPrincipal called as CISFPrincipal, Its looks little tricky to use the CISFPincipal in a WCF client. but WCF makes it easy with IAuthorizationPolicy interface as explained below.
In order to integrate a custom Principal with WCF, we need to set the “PrincipalPermissionMode” property to “Custom”. In addition, we also need to set the authorization policy that will be used to create the custom principal objet and supply it to WCF plumbing.
Here is a sample implementation.
Authorization Policy:
public class CISFAuthorizationPolicy: IAuthorizationPolicy
{
// this method gets called after the authentication stage
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
// Get the authenticated client identity
IIdentity client = GetClientIdentity(evaluationContext);
Microsoft.InformationSecurity.CISF.Security.AuthZServices.AuthZService auth = new AuthZService();
User singleuser = auth.GetUserInformation(client.Name, ConfigurationManager.AppSettings["ApplicationName"]);
// Set the custom principal
evaluationContext.Properties["Principal"] = new CISF.Security.Principal.CISFPrincipal(client, singleuser);
return true;
}
}
Configuration:
<behaviors> <serviceBehaviors> <behavior name='CISFCustomBehavior'> <serviceAuthorization principalPermissionMode='Custom'> <authorizationPolicies> <add policyType='Service.CISFAuthorizationPolicy, Service' /> </authorizationPolicies> </serviceAuthorization> </behavior> </serviceBehaviors> </behaviors>
Once the custom Principal is set in evalutationContext, regular authorization checks can be carried out based on custom principal. If custom principal implements Roles, PrincipalPermission.Demand can be used for imperative security check.
Alternatively, ServiceAuthorizationManager can be used to centralize the authorization logic instead of spreading the authorization logic all over the WCF service code. We can override the “CheckAccess” method to carry out our custom authorization check. One shortcoming of this method would be to modify this logic as new methods are added to or removed from the WCF service.
Feel free to contact me at syamp@microsoft.com if you need more details about any of the above approaches.
Happy coding and Happy New year, 2010!