Secure WCF Service hosted in IIS 7 using the windows authentication restricted by defined group or users

Question

How to configure a wcf service hosted in IIS 7 to enable access for only defined users / groups to.

Existing configuration:

<authentication mode="Windows"/> 

<services>     
 <service name="MyService.Test" behaviorConfiguration="MyService.TestBehavior">
  <endpoint address="" binding="wsHttpBinding" contract="MyService.ITest">
   <identity>
    <dns value="localhost"/>
   </identity>
  </endpoint>
  <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
 </service>
</services>
<behaviors>
 <serviceBehaviors>
  <behavior name="MyService.TestBehavior">
   <serviceMetadata httpGetEnabled="true"/>
   <serviceDebug includeExceptionDetailInFaults="true"/>          
  </behavior>        
 </serviceBehaviors>
</behaviors>

I want then to configure permissions (users or groups) either in the web.config or in the file system on files or folder.

Answer 1

First of all, if you're in an intranet environment, you could and should switch to netTcpBinding - it's faster, it's more flexible, no one can call in from the outside (beyond your firewalls) - perfect.

Next - you have Windows credentials turned on by default with wsHttpBinding and with netTcpBinding. In a WCF world, you wouldn't typically secure files or folders - what you'd secure are service calls - and doing so is easy with Windows credentials - just add a PrincipalPermission attribute to your service implementation, and you're done:

class MyService : IMyService
{
  [PrincipalPermission(SecurityAction.Demand, Role="SysAdmin")]
  public void SensitiveMethod()
  {
   ....
  }
}

Should work just fine.

If you really need to secure files and folders, you can always use the web.config file and specify the usual access permissions based on Windows user names and groups - but that has nothing to do with WCF, really.

Marc