Certificate based Authentication and WCF - Using Service Authorization Manager

I've been working on Security for our SOA Architecture and i decided to pursue a brokered authentication approach using x.509 certificates issued by a Certificate Authority. It was a lengthy process of researching between the different approaches... nearly went brokered STS, but since we won't have a need for multiple STS, i decided to go with x.509. It's interoperable and widely used, and it suites our needs since we had requirements for interoperability and need for impersonation and delegation.

During the creation of the service authorization manager i decided to implement Role-based security without the need to decorate the operations with the PrincipalPermission attributes. This meant putting the required permissions into the configuration file and reading them through the implemented CheckAccess() method in the service authorization manager. I also went another step further an included the roles into the configuration file. I could have settled with using the ready made solutions like;



ADAM and Active Directory - As easy as it is, i didn't want to include another business layer into administration (such as IT).



MembershipProvider - This is a good one at that, but i wanted something simpler. Something that wouldn't need any setup



AzMan - I guess i just didn't try making this really work. Looking back, i think this could be a possibility.



Anyway, as i said i placed the roles mapping into the configuration. It separates the security logic from the base code and provides a simple way for administering the roles. Try to get a copy of the WCF Unleashed book as it outlines a part of what i used for this.



On a side note, i also used the thumbprints for identifying the certificates uniquely. I had some troubles with the byte array conversion for the thumbprint, but this blog right here helped me alot.