I've just began using Windsor WCF Integration and have loved every bit of it. Originally we started using it for the sole purpose of it's asynchronous capabilities. Now, we've started adopting some other characteristics to give us greater control of how we might ultimately control access to our services.
Simply, each service gives some "basic" functionality that we still want to have authorized ahead of time using a dynamic role check, then further service functionality we authorize using something very similar to PrincipalPermission. We're using the .NET Membership provider. The answer for this on the Client was lazy loading, giving us an opportunity to check whether or not that user in these roles has permission to access that service before it's Registered in the Container; rather than a check in the Service's constructor, which threw an exception and faulted the service. Before using the Container, we could get a serialized FaultContract back. Now we get Activation exceptions because the Container can't resolve the proxy, due to an unauthorized exception thrown in the constructor. This isn't surprising, and it's a good excuse to get away from the constructor authorization logic that I never really liked in the first place. That works great, but we've only found success in using it on the Client. Because of this, the Client is the only thing enforcing this service-level Authorization check, because the Services Container (hosted in IIS) is otherwise happy to give you anything back from it's own container if you were attempt to resolve the proxy outside of the Client. While I would've guessed the Service side would also support lazy loading, I haven't had success in getting it to work as I would expect. The second part to that problem, is that I suppose I'd have to create/dispose a Container per user session which only includes the Components we've authorized (or not) that user to have, rather than a container in the Application meant for everybody/anybody. This may very well go against the way this is intended to work, and perhaps even the way it's intended to be used. However, if I could get it to work, it would be one of the cleanest ways I can think of to get WCF- Service-Level-Authorization using a Role Provider to determine a user's level of (if any) access. I hope this wasn't too long winded. Any suggestions or criticisms would be appreciated! -- You received this message because you are subscribed to the Google Groups "Castle Project Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/castle-project-users?hl=en.
