y - Net Developer

amrameshreddy.blog.com234 CHAPTER 7 ■ IMPLEMENTING WCF SECURITYramrameshreddy.blog.comAuthorization in WCFHow can you authorize users in WCF? What is the difference between authentication andauthorization in the first place? You should also take this opportunity to investigate some ofthe .NET Framework offerings to handle authentication and authorization. You’ll first investigatethe fundamentals of the .NET application security model.■Note The .NET Framework offers a rich set of APIs (based in the IPrincipal interface) to manageauthentication and authorization. The objective is to create a specialized, static (once only) Principalobject after the Active Directory authentication is approved. This Principal object will securely live on theclient’s desktop and attend authorization requests during the life span of the user session. The authorizationand authentication are provided by different providers. This provider information is usually based in configurationfiles. The objective is to seamlessly transfer the user context from one authorization or authenticationprovider without any code changes. This is the best practice in the industry. It is important to note that WCFexplicitly does not address authentication and authorization. What WCF does is evaluate claims and authenticateand authorize these claim sets utilizing .NET Framework to satisfy the security requirements.IPrincipal InterfaceThe cornerstones of the .NET security models are the IPrincipal interfaces. The developerswill build an object that extends IPrincipal (usually called Principal) to incorporate theauthentication and authorization information regarding a specific user. So, what is the differencebetween authentication and authorization?Authentication: This is the process of identifying users. This is commonly performed byrequesting a username-password pair or a certificate to verify the authenticity of the user.(Who is the user? Can you identify him as a manager in your system?)Authorization: Authorization happens after authentication. Authorization addresses thequestion, what does the user have access to after the authentication? Therefore, the useris already known to the Windows runtime, but what can the user access in the system? Forexample, does the user have delete access for a purchase order if the user logs in as aManager role?Authentication is mainly performed by API calls to Active Directory. Active Directory willreturn with a confirmation of the identity or deny the access to the system. The authorizationdetails in most cases have to be explicitly coded. Authorization in .NET is based on roles. (Forexample, the SeniorManager role can delete the purchase orders as opposed to the Managerrole, which is not entitled for the same privilege.) Therefore, before you delete a purchaseorder, you need to check whether the currently logged in user has the SeniorManager roleattached to his profile. You do this by utilizing the IsInRole function. The code is similar to thefollowing code. This code queries whether the currently logged in user has the SeniorManagerrole to proceed to delete the purchase order:ramrameshreddyramrameshreddy