Shawn Wildermuth's Rants and Raves

Thanks for visiting my blog! See more about me here: About Me

Securing Web Services (Even with OOB)
Securing Web Services (Even with OOB)
July 26, 2009

I was trading tweets today with @pauliom about whether RIA Services would solve some Auth problems he was having out of the browser.  While RIA does do some interesting things with roles/users, I mentioned that typical Forms Auth out of the box should just work.

To that end I have created a simple example of how to protected WCF Services with Forms Auth (works with ADO.NET Data Services as well BTW).  Because I wanted to support it out of the browser as well, I used the new Forms Auth service.  To do so, just add a new .svc file to your project and put this in the body:

<%@ ServiceHost Language="C#"
            Service="System.Web.ApplicationServices.AuthenticationService" %>

The web.config also needs to know about the service.  So first, add a web extensions like so:

      <authenticationService enabled="true"/>

Finally, the WCF configuration bits:

        <serviceMetadata httpGetEnabled="true" />
        <serviceDebug includeExceptionDetailInFaults="false" />
      <endpoint address=""
            contract="System.Web.ApplicationServices.AuthenticationService" />
      <endpoint address="mex"
                contract="IMetadataExchange" />

Once you have all those pieces you can create the proxy like any other service (with “Add Service Reference…”).  Then you can login from the Silverlight application:

var authSvc = new AuthenticationServiceClient();
authSvc.LoginCompleted += (s, a) =>
    if (a.Error != null)
      result.Items.Add(string.Concat("Error logging in: ", a.Error.Message));
      result.Items.Add(string.Concat("Login: ", a.Result));
authSvc.LoginAsync("swildermuth", "P@ssw0rd", null, false);

So securing the web service becomes pretty simple.  I created a new “Silverlight WCF Service” inside a secure folder:

Protected Web Service

I created the web service and then the Service Reference before enabling security so adding a Service Reference would work. This is the one pain point in that you must disable the folder security to add the reference then re-enable it afterwards:

<?xml version="1.0"?>
      <deny users="?"/>
      <allow users="*"/>

Now the web service will only work once the login happens.  You can test this in or out of the browser and with both stacks with the source code.  Here’s a quick screenshot showing it working after login and not working after logout:


You can download the source code here:

UPDATE: Here are some links to the actual docs for this:

Configuring the Authentication Service: