I am working on a Silverlight v3 web app and I would like to secure access to the WCF service I am using to fetch my data. I currently have the WCF working just fine, but it doesn’t require any user credentials.
I’m not very experienced with this aspect of WCF, so my first idea was to add username and password parameters to each of my service’s operations. The problem I have with this is that this would require a lot of redundant code, and the fact that the username and password would be transferred over the wire in plain text.
What I would like is a way to specify the credentials upfront on the client side right after I create my service proxy (I am using the proxy autogenerated from “Add Service Reference”).
Upon googling for a solution to this, I could only find solutions that similar to my first idea (using username/password parameters). Could someone please point me in the right direction?
Thanks!
Where are these usernames and passwords coming from? If your web site already implements Forms authentication then you can bypass setting credentials yourself and use the forms authentication cookie. If your users are logged in then the cookie will travel with the web service call. In order to read it on the other side you need to make a couple of changes.
First you need to enable ASP.NET compatibility mode for WCF in the system.ServiceModel section:
Once that is done then for each service method you want to understand the ASP.NET cookie add the [AspNetCompatibilityRequirements] attribute to your service class
Now within each method you can access the HttpContext.Current.User.Identity object to discover the user’s identity.
If you only want certain methods to be called by authenticated users then you can use a PrincipalPermission thus
As a bonus if you’re using ASP.NET’s role provider then those will also be populated and you can then use a PrincipalPermission on methods to limit them to members of a particular role:
And this works in Silverlight2 as well obviously.