In the previous post I showed how token based authentication can be implemented for WCF HTTP based services.
Authentication is the process of finding out who the user is – this includes anonymous users. Then it is up to the service to decide under which circumstances the client has access to the service as a whole or individual operations. This is called authorization.
By default – my framework does not allow anonymous users and will deny access right in the service authorization manager. You can however turn anonymous access on – that means technically, that instead of denying access, an anonymous principal is placed on Thread.CurrentPrincipal. You can flip that switch in the configuration class that you can pass into the service host/factory.
var configuration = new WebTokenWebServiceHostConfiguration
AllowAnonymousAccess = true
But this is not enough, in addition you also need to decorate the individual operations to allow anonymous access as well, e.g.:
public string GetInfo()
Inside these operations you might have an authenticated or an anonymous principal on Thread.CurrentPrincipal, and it is up to your code to decide what to do.
Side note: Being a security guy, I like this opt-in approach to anonymous access much better that all those opt-out approaches out there (like the Authorize attribute – or this.).
Since there is a ClaimsPrincipal available, you can use the standard WIF claims authorization manager infrastructure – either declaratively via ClaimsPrincipalPermission or programmatically (see also here).
Resource = "Claims",
Operation = "View")]
public ViewClaims GetClientIdentity()
return new ServiceLogic().GetClaims();
In addition you can also turn off per-request authorization (see here for background) via the config and just use the “domain specific” instrumentation.
While the code is not 100% done – you can download the current solution here.
(Wanna learn more about federation, WIF, claims, tokens etc.? Click here.)
link to download source code is not working, please provide correct link.
It is not maintained anymore – but here it is: