I am trying to implement authorization for a WCF service but I have run into some significant difficulties. I think I need to use a hybrid solution combining custom authentication and claims, but I am not sure if this is correct.

My application uses Windows authentication to connect to the application. Once the user has been authorized, access to functions needs to be granted based on permission information stored in the database.

Users can be assigned permissions via the application interface. One level of the permission heirarchy corresponds to access to individual WCF functions:

• Access to module (purely organizational)
  • Access to function (access to WCF function, checked automatically)
    • Function-specific permissions (checked dynamically in code)

Sample structure and usage:

• Shipping
  • Can Create Shipment
    • Can override naming conventions
  • Can Package Shipment
    • Must be verified by supervisor
    • Can generate customs documentation ...

class ShippingService : IShippingService
{
    // Access corresponds to "Can create shipment" permission
    public bool CreateShipment(string name)
    {
        ...

        // Check the function-specific permission dynamically.
        if (!ConformsToNamingConvention(name) && !CheckPermission(Permissions.CanOverrideNamingConvention))
            return false;
        ....
        return true;
    }
}

I think what I need to do is to create a custom Authorization Policy by implementing IAuthorizationPolicy. This will connect to the database, pull the permissions for the user and add a claim for each of the permissions. I will then need to create a custom authorization manager that will compare the requested action with the list of claims to determine if the connecting user is authorized.

Is this the correct way to approach this, or am I:

a) overcomplicating the issue, or

b) using WCF components incorrectly (such as claims, IAuthorizationPolicy, AuthorizationManager...)

Thanks in advance for any help, and best regards.

The problem you'll have with this approach as with just about all the other approaches is the fact you want to allow business users to create and delete roles on the fly. How are you even going to check that in code? Typically, you'd restrict execution of a method or service call to a specific role (or set of roles) - how is this going to work if you want to have roles that get created dynamically at runtime?

If you can live with pre-defined roles, there's a few solutions. Have you checked out the ASP.NET role provider? It's part of the more general ASP.NET membership and role provider set, but it can be used on its own, too.

To activate it, use this snippet in your config (once you've set up the basic infrastructure for the ASP.NET role provider stuff):

<behaviors>
 <serviceBehaviors>
  <behavior name="CalculatorServiceBehavior">
   <serviceAuthorization principalPermissionMode ="UseAspNetRoles"
                         roleProviderName ="SqlRoleProvider" />
  </behavior>
 </serviceBehaviors>
</behaviors>

The only other idea I have is looking at the Authorization Manager (AzMan): this is a set of tools to allow you to specify fairly granular "atomic" permissions that a business user can then compose into roles and assign users to those. But basically, in the end, at the bottom level of the granular program functions ("Tasks" in AzMan), you're dealing with a static set of rights, again.

Check out this MSDN article on AzMan as an introduction and see this article in the WCF security guidance on how to use it from a WCF service. I don't know the current status of AzMan and I don't know if it will be developed much further anymore - it almost seems a bit like it won't (but I'm not 100% sure on that).

Marc