Pages

Wednesday, July 15, 2009

Tip of the Day: WCF & Impersonation


Hey everyone, I want to share with you a tip on how to enable impersonation with your WCF service applications.

Let me begin with my situation first. I have a WCF service application that manages inventory data from a database. The solution includes a service, business and data layers that works togeather in updating and retrieve inventory data. In my service layer, I have service called Invenotry.svc that contains single service operation called UpdateInventory. UpdateInventory accepts two paramters, the product id and the number of products to add or
subtract from inventory. Once I had everything compiled and built, I was ready to test. For testing I'm using the WcfTestClient.exe tool, which provides a simple interface for testing your WCF services. During my testing, my application threw an exception, "The UPDATE permission was denied on the object 'Inventory', database 'GreatValueBookStore', schema 'dbo'.". At first, I was like huh? So I googled the exception and found most people were experencing the same issue, no support for impersonation. Since the WCF application is running on IIS, I know that the network service account runs as the default user, which explains the exception, because the network service account does not have rights to modify data in the my local database. Next I posted a question to an MSDN WCF fourm. Within mintues a user replyed with a series of msdn articles on how to implement security and impersonation with an WCF applications. The articles very helpful and I found what I need to resolve my issue.. So let me show you how to implement impersonation in WCF....


In your service contract, add the following code on top of your service operation:
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
This tells WCF that the service operation must impersonate the caller's identity.

Next in your configuration file add the folllowing code:

Then in your service's endpoint, supply the bindingName attribute with the value "WindowsBinding":

This sets the type of client credential to be used for authentication, in this case, Windows.
Then finally on your client application add the following code right before you make a call to a service operation:

InventoryClient.InventoryClient inventoryClient = new InventoryClient.InventoryClient();
inventoryClient.ClientCredentials.Windows.AllowedImpersonationLevel =
System.Security.Principal.TokenImpersonationLevel.Impersonation;


This allows the client to be impersonated when calling the service operation from the client.


That's it!!!!

You can download the sample code below:

No comments:

Post a Comment