Adding Authentication/Authorization

First read https://msdn.microsoft.com/library/ff405740.aspx}this page both part 1 and 2. Implement scenario 3 for your movie database (2nd method in part 2) as follows:

• Security: TransportWithMessageCredential (Scenario 3) Credential Type: Username Authorization: Role-based using ASP.NET role management

Because we don't want users to edit movies, we are going to allow them to create and read, but not update and delete.

Detailed Instructions

Step 1: Database Setup

• Install Sql Server Express
  • Make sure to use both Windows and SQL authentication
  • Instance = [servername]\SQLEXPRESS).
• Install Sql Server Management Studio (SSMS) on the server
• Start SSMS and connect to [servname]\SQLEXPRESS
  • Right click on the server and select properties
  • Select the connections page
  • Click allow remote connections and select ok.
• Start Sql Server Configuration Manager

  • Set the following elements SqlConfig.png

  • Under "SQL Server Services" Right click on "SQL Server (SQLEXPRESS)" and click restart.
• Add a Windows firewall rule to allow incoming connections to port 1433. (if you are not sure how to do this, ask an IT major or google it)
  • You can now remotely connect to the server using just the IP address. Try it on SSMS
• Create a database
  • In SSMS, right click on the databases folder, select New Database...

  • Give it a name "MovieUsers"

• Run C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regsql.exe

  • Choose the Configure SQL Server for application services option and select next.
  • Fill in the server name and append "\SQLEXPRESS" e.g. CPTR446\SQLEXPRESS

  • Leave Windows authentication selected and Drop down the database selection. You should see MovieUsers. Select it and click next, next, finish.

That should finish the database setup.

Step 2: Configure your service to use the database for authentication

One of the most important things is that, when working with the latest technology, we use the latest documentation. I didn’t give you links to the latest documentation, I gave you a link to a tutorial that shows the process. Always look at the date for such tutorials, they may (and indeed often do) require you to expand your search to find current, canonical documentation.

1. You have your WCF service App project (hereafter referred to as your “service” project). This is what gets deployed and this is where I’ll be making the majority of edits (almost all in the web.config file).
2. Deploy the service to your remote IIS server.
   1. Test this! If it doesn't work now, it doesn't have a prayer of working later.
3. At this point, I looked at the project called Membership and Role Provider in the link below:

   1. Membership and Role Provider

   2. Although this does show you how to change the web.config file, it does not show you much code. So to save you downloading a massive file and finding the right project in it, I’ve included the folder for thier demo project here. <-- This is vitally important, it has a web.config file that will actually work!

   3. NOTE: Your Membership and Role Provider is untrusted! That is, even though this is a standard normal forms authentication provider, IIS (in Server 2019) will complain. So follow the directions here to fix that problem. BUT BE WARNED, DON’T EVER DO THIS ON A PRODUCTION SERVER.

4. The first thing you should look at in code is the web.config file! This and the link above should give you all you need to implement authentication and authorization.
5. There were several caveats that I had to work out, and I suggest you do these first!

   1. A certificate is required and you need to create one and put it in LocalMachine\Personal Certificate store. I’ll leave you to your own devices on that task (I just exported the one we had already from IIS). But you can create the certificate in IIS manager and export it, then import it to your Certificate store. This must be done on your server. Since it is self signed, you will also need to include the following code in your client. (Notice my reference to the wcf service is called “proxy”). proxy.ClientCredentials.ServiceCertifcate.Authentication.CertificateValidationMode = X509CertifcateValidationMode.None;

   2. The certificate may not allow access to the private key, which your wcf service needs! This is manifested by an exception stating: “keyset does not exist”. I found this website to be very useful. As part of the process, you will need a compiled program from the examples called FindPrivateKey.exe. For your benefit, I have compiled it and uploaded it here.

   3. If you have other Certificate issues, it is probably because you didn’t put it in the right place.
6. After you have created the configuration and deployed the service then, and only then, can you go and create the .NET Users and .NET roles in IIS. If you have trouble make sure you have enabled forms authentication.

Step 3: Configure your service/client to require/use Authorization

Authorization is one of the easiest parts to this project. If you have the parts in place, you can simply add some attributes to your methods in code to require authorization. Let’s look at the parts.

1. You must have the web.config deployed to the website first. It has the membership and role configuration, and if that is wrong, you won’t be able to continue.
2. At this point you should now be able to use the IIS Management tool to add both users and roles.
   1. In IIS manager click on the application you created.
   2. Click on .NET Roles and create two roles: "Users" and "Managers"
   3. Click back on the application.
   4. Click on .NET Users and create two users: "Mgr" that is a member of both Users and Managers, and "Usr" who is only a member of "Users".
   5. NOTE: Putting the users and roles in the "Default Web Site" won't work. Users and Roles are unique to the application they serve.
3. Add the required authorization requirements to the service and you should be ready to test again. I recommend testing from your client (like I did in class) so that you can get good feedback on errors.

   1 [PrincipalPermission(SecurityAction.Demand, Role = "Users")]
   2 public int CreateMovie(Movie movie) { ... }
   3 
   4 [PrincipalPermission(SecurityAction.Demand, Role = "Managers")]
   5 public bool DeleteMovie(int ID)
   6 
   7 [PrincipalPermission(SecurityAction.Demand, Role = "Users")]
   8 public Movie GetMovie(int ID)
   9 
  10 [PrincipalPermission(SecurityAction.Demand, Role = "Users")]
  11 public List<Movie> GetMovies()
  12 
  13 [PrincipalPermission(SecurityAction.Demand, Role = "Managers")]
  14 public bool UpdateMovie(Movie movie)

Turn in your work on eclass:

Create a video that demonstrates the features of your application and turn it in on eClass.

1. Show that you have created the users and roles in IIS. (20 pts)
2. Show your application using the mgr credential to complete Create, Read, Update and Delete operations. (40 pts)
3. Show your application using the usr credential to complete Read, Create and that it fails gracefully on Update and Delete. (40 pts)

Zip up your project and turn it in on eClass. ( 0 OR 1 Multiplier of the previous points).