Security and Business Logic

Mar 2, 2012 at 5:00 AM

I am really looking forward to your next write-up. WCF Data services is completely new to me and when I toyed around with it I had trouble with security. Specifically, it seemed that WCF did not collect cookie information, thus it wasn't possible to know which user id was logged in. You mentioned that this was no problem, but I'm still anxious to see how you manage it.

Keep the demos coming, we're all learning!

Mar 2, 2012 at 5:23 AM

Ok, I see this article now:
http://www.gooddogs.com/Blog/tabid/97/EntryId/9/WCF-Series-Part-8-Using-DotNetNuke-Security-Framework-to-secure-your-WCF-Service.aspx

I think the authentication token method works great when you're dealing with a non-DNN based client, but when you're client is DNN and someone's already logged in, they are just going to be irritated to login twice. Isn't there a way to read the cookie and know if they are logged in.

 

Further, if you want to utilize user information in your business logic, how can you do this with WCF without directly passing that user id?

Mar 2, 2012 at 6:14 PM

So I found this article on MSDN about exposing HttpContext to a WCF.
http://msdn.microsoft.com/en-us/library/aa702682.aspx

So that gives me HttpContext now. However, when I try to get the DNN User info, it comes up blank.

UserInfo ui = UserController.GetCurrentUserInfo();
returns ui.UserId = -1, despite being logged in. 

Mar 2, 2012 at 6:15 PM
Edited Mar 2, 2012 at 6:15 PM

Ok, so hopefully someday someone stumbles on this because I found a solution. 

http://irobinson.posterous.com/proof-in-concept-securing-ajax-requests-in-do

About a year ago, Ian Robinson helped me with a similar issue with ASMX. Well, the same solution, coupled with the above article from Microsoft solves the problem!