Restricting Web Service Calls by domain group membership

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Vagh - 20 Jul 2006 01:08 GMT

Hello,
I have been pouring over the documentation for WSE 3.0 the last couple of
days and have blurry vision at this point. I was wondering if someone could
point me in the right direction.

I'm using Brokered Authentication, i.e Active Directory to determine the who
is invoking a web service method via a Web Application that uses integrated
windows auth and has identity impersonate = true, I am reasonably certain my
application and services are configured correctly.

For e.g. If i have Services A, B, and C
I'd like MyDomain\GroupManagers to use Services A and B and C
I'd like MyDomain\Sales to only have access to Service C, if they use a web
application which calls service A or B it should throw an exception. I.e the
service should have been able to recognize them based on their identity (I
assume via the token?) and caused the call to fail.

I've been trying to do this simply via the policy configuration tool to no
success, i.e securing a service and doing "allow Role=<groupName>" doesn't
seem to be working.

Again my goal here is to restrict usage of services by domain groups. IF
this is perhaps the wrong way to accomplish what I am trying , let me know
that as well :).

Thanks in advance for any help.

~ V
P.S I am probably grossly missing a concept so I was wanting some guidance.

Reply to this Message

Vagh - 20 Jul 2006 01:41 GMT

Hmm I found some code on MSDN that does it at a programmatic level:

WindowsPrincipal wp = (HttpContext.Current.User as WindowsPrincipal);
if( wp.IsInRole(@"Domain\Managers"))
{
// User is authorized to give bonus
. . .
}

in that case do I need WSE at all... gah..

> Hello,
> I have been pouring over the documentation for WSE 3.0 the last couple of
[quoted text clipped - 26 lines]
> P.S I am probably grossly missing a concept so I was wanting some
> guidance.

Reply to this Message

Pablo Cibraro - 20 Jul 2006 16:03 GMT

Hi,

hmm, no. You do not need to use WSE at all, WSE is only useful when you need
to use some WS-* spec such as WS-Security to secure messages (Encrypt and
Sign) or use WS-Addressing.
In your case, you only need to perform authentication and authorization, and
that can be done as you did (Using Windows security).

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

> Hmm I found some code on MSDN that does it at a programmatic level:
>
[quoted text clipped - 37 lines]
>> P.S I am probably grossly missing a concept so I was wanting some
>> guidance.

Reply to this Message

Howard Hoffman - 21 Jul 2006 21:19 GMT

Another option is based on ASMX authorization in ASP.NET. Say you have
services A, B and C surfaced by pages A.asmx, B.asmx and C.asmx
respectively. You can use the <location path="A.asmx"> construct like so:

<location path="A.asmx">
<authorization >
<allow roles=".\ServiceACallers"/>
<deny users="*" />
</authorization>
</location>

etc.

where you populate ".\ServiceACallers" (local machine group named
ServiceACallers) with who you want to be able to call the service. The nice
thing about this pattern is that its configuration driven, not hard-coded.

The AuthorizationAssertion is going to be looking not at
HttpContext.Current.User, but instead at the Soap Envelope credentials -- so
they have to be populated correctly via a client side security assertion
(such as Kerberos or UsernameToken).

Any of the approaches we've enumerated works.

HTH,

Howard Hoffman

> Hi,
>
[quoted text clipped - 49 lines]
>>> P.S I am probably grossly missing a concept so I was wanting some
>>> guidance.

Reply to this Message

Restricting Web Service Calls by domain group membership

Free Magazines