wsHttpBinding, just allow certain accounts to access a service

Question

I have a simple WCF Service hosted on IIS 8 that uses wsHttpBinding. I want to be able to control wich users (domain accounts) have access to the service. How can I do that? Perhaps there are several ways to do this. Can I define the accounts in the web.config file or do I set this up in IIS?

Answer 1

You can use PrincipalPermission to control it.

Check out this answer: WCF security with Domain Groups

And here you can catch up on msdn: http://msdn.microsoft.com/en-us/library/ms735093(v=vs.110).aspx

Answer 2

You could use a Custom Authenticator.

You would need to inherit UserNamePasswordValidator from the System.IdentityModel.Selectors namespace.

Sample from MSDN

 public class ServiceValidator : UserNamePasswordValidator
{
    public override void Validate(string userName, string password)
    {

        if (string.IsNullOrWhiteSpace(userName) || string.IsNullOrWhiteSpace(password))
        {
            throw new SecurityTokenException("Username and password required");
        }
        else
        {
            if (Authenticate(userName, password))
            {
                // no need to do anything else if authentication was successful. the request will be redirected to the correct web service method.
            }
            else
            {
                throw new FaultException("Wrong username or password ");
            }
        }

Web.config for the server:

<behaviors>
  <serviceBehaviors>
    <behavior name="SomeServiceBehavior">
      <serviceMetadata httpGetEnabled="true" />
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyApp.ServiceValidator, MyApp"  />
        <serviceCertificate findValue="CertificateNameHere" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<bindings>
  <wsHttpBinding>
    <binding name="RequestUserName">
      <security mode="Message">
        <message clientCredentialType="UserName" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

This is the basics for what you will have to implement. You could then in your Authenticate/Authorize method restrict which users should be allowed to make calls to the web service methods.