Home > Advanced, C#, WCF > Implementing restricted access to a WCF service with the ServiceAuthorizationManager

Implementing restricted access to a WCF service with the ServiceAuthorizationManager


The IT industry divides security into two parts: authentication and authorization. Authentication verifies that a users is who he claims to be. This can be done in a couple of ways: certificates, username/password, windows credentials, … Authorization will decide what an (authenticated) user is allowed to execute. In this article I will describe a generic implementation to authorize access to a WCF service.

Implementing restricted access to a WCF service can be done in a couple of ways. A first option is to mark methods with the declarative PrincipalPermissionAttribute to restrict access to certain roles or users. An other option is to imperatively check the credentials of the current user.

Both of these methods have the drawback that they result in a lot of duplication when you have multiple service methods. Because duplication is the root of all evil, the creators of WCF have foreseen an extension point in WCF to implement authorization in a generic way: the ServiceAuthorizationManager.


Implementing a ServiceAuthorizationManager is straightforward; you need to extend the class “ServiceAuthorizationManager” and you need to override the method “CheckAccessCore”. In this small example, I will restrict access to my service to users of the windows group “Administrators”.

public class MyServiceAuthorizationManager : ServiceAuthorizationManager
    protected override bool CheckAccessCore(OperationContext operationContext)
            ServiceSecurityContext securityContext = operationContext.ServiceSecurityContext;
            WindowsIdentity callingIdentity = securityContext.WindowsIdentity;

            WindowsPrincipal principal = new WindowsPrincipal(callingIdentity);
            return principal.IsInRole("Administrators");
        catch (Exception)
            return false;

Now that our custom ServiceAuthorizationManager has been implemented, we need to hook it into the WCF pipeline. The most easy way to do is, by using the web.config or app.config file.

	<!-- Define service and endpoints -->

			<behavior name="MyServiceBehavior">
				<serviceAuthorization serviceAuthorizationManagerType="MyNamespace.MyServiceAuthorizationManager, MyAssembly" />


When you test your service, you will notice that every method is secured by our custom ServiceAuthorizationManager implementation. I hope that you agree with me, that the ServiceAuthorizationManager is a clean way to implement authorization at the service level.

Categories: Advanced, C#, WCF
  1. September 21, 2011 at 21:33

    When using WCF REST, if I use this method of authorization, the client receives a 400 (Bad Request) error.

    There is any way to change it to 401 (Unauthorized)?

  2. pieterderycke
    September 22, 2011 at 08:41

    Not that I am currently aware of. Which WCF REST are you using? The current Rest support or the new WCF Web API (http://wcf.codeplex.com/releases/view/73399)?

    I think you have to most chance to be able to do that in a generic way with the new WCF Web API; but you will probably have to create another component than a ServiceAuthorizationManager.


  3. September 22, 2011 at 14:53

    I’m using bare WCF REST on .NET 4.0.

  4. pieterderycke
    September 22, 2011 at 19:29

    You could do this is in a WCF IParameterInspector (http://msdn.microsoft.com/en-us/library/system.servicemodel.dispatcher.iparameterinspector.aspx) check the ServiceSecurityContext and if no access should be given throw a WebFaultException with the required HTTP error

  5. Leon
    March 29, 2012 at 10:54

    Hi there, very useful article.
    An additional question though: how should the authorization of a specific operation and its parameters be implemented with a generic WCF approach? Thanks.


    • pieterderycke
      March 29, 2012 at 12:47

      You have to use the PrincipalPermissionAttribute on the method if you want to restrict access only for a single method.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: