I am looking into using WCF built-in functionality to aid me in implementing an authorization service that sits on top of WCF. I already have tables such as:
This article gives a basic overview of the normal way of doing this. Basically you construct a custom principal that contains the data relevant to a user's permissions in an
IAuthorizationPolicy and attach the custom principal to the WCF
OperationContext. This guarantees that regardless of how the threads are managed you can always access this principal via
If your permissions are simply based on role membership you can simply use standard mechanisms like
PrincipalPermission.Demand() or wrapping your operations with
Alternatively if you have more sophisticated permissions (e.g. Create | Delete | Update etc.), one approach would be to create a custom permission that implements
IPermission. This approach also works well for things like value based permissions (e.g. approve orders up to $500). In your code you can then construct the required permission and have it call
Demand() to check whether your current custom principal is permitted. If these permissions can be made serializable it often also makes sense to create a companion attribute to support declarative security that uses each permission.
The above approaches integrate nicely with WCF and the .NET security infrastructure and once you get your head around
IPermission provide an elegant and maintainable solution.