wcf - .net n-tier identity & authorization in service architecture -


i'm building application requirements seem standard issue (at least me)... have web.ui based on asp .net mvc & clients iphone, andriod & blackberry.

so sensible thing move business logic services layer can accesses on http. services layer must accept requests user context (identity) , in nice way perform authorization consistently no matter type of client communicating (i hope?).

over year go did 3 month gig employed w.i.f. (windows identity foundation) in hybrid on-premises & cloud architecture. liked it. 3 things struck chord (1) externalizing authentication , not caring how done, (2) removing authorization logic business logic, (3) claims based authorization.

over last year i've heard , watch rest services 'new cool hippy way of doing things'. though great, let's try that. after started play around & coding, started getting confused (and subsequently read 10 hours yesterday without writing line of c#). i'm still confused soap vs rest, ws.* vs http, saml vs swt babble. don't want thread because there enough of speak on stackoverflow, feel i've got choice between 2 camps, when doesn't feel want 1 or other bits each?

to me 3 points mentioned above wif don't seem concepts should tied ws.* ? i'm getting feeling they, or @ least how wif comes @ moment makes them, without expert tweaking (e.g. came across post written few days ago - http://zamd.net/2011/02/08/using-simple-web-token-swt-with-wif/).

the other areas don't know clients (iphone, andriod, blackberry) capable of playing wif, same sts throws saml token them , behave browser , pass in header other client? yes i'm going have find out, if deal breaker w.i.f , find out straight after posting this, @ least can focus away it.

finally throw 1 more thing in mix. don't want think of this. want use 3rd party authentication / identity provider - http://www.janrain.com/products/engage - believe uses openid. can fit w.i.f. or create new saml token openid , use wif moment on.

i guess @ end of babble, want come started because it's getting more , more complicated more questions ask , more options consider.

is having services layer (on wcf) talks different non-.net clients requires identity context , authorization strange? if you've build this, how did approach it?

when have many devices, 1 way same solution working across of them, target lowest common denominator.

assuming clients support cookies. 1 way of doing would:

  • have authentication system based on cookie.
  • cache authorisation information on server side, linked session or key in cookie
  • for each request check authorization

not quite elegant using saml tokens, work cross platform / devices.

iphone supports cookies http://support.apple.com/kb/ht1675

blackberry supports cookies http://docs.blackberry.com/en/developers/deliverables/11844/feature_cookie_storage_438273_11.jsp


Comments

Post a Comment

Popular posts from this blog

apache - Add omitted ? to URLs -

i working on website cms reads page name of query string, e.g. http://exmaple.com/?pagename . trying create rewrite rule rewrite ? . so, user types in /pagename , taken /?pagename try this: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^/?(.*) index.php?$1 [l]
Read more

redirect - bbPress Forum - rewrite to wwww.mysite prohibits login -

i using bbpress installation without wordpress integration. the redirect of rewriteengine @ forum site works: rewriteengine on rewritecond %{http_host} ^forum.mysite.com$ rewriterule (.*)$ http://www.forum.mysite.com/$1 [r=301,l] the problem login pppress. bbpress login not recognize: http://www.forum.mysite/bb-login.php . it redirects to: http://forum.mysite.com/bb-login.php . i tried permalink settings none , name based, same issue. does uses redirect in bbpress or how can eliminate "double" content , redirect permanently www.? i redirected www.forum.mysite.com forum.mysite.com , achieved eliminate "double" content.
Read more

php - How can I stop spam on my custom forum/blog? -

so have custom built forum & blog system of late has been dealing lot of spam. if wordpress use akismet, if different common platform i'm sure i'd find plugin. there kind of static class can download this? using php. i'd still go akismet, if it. uses outside of wordpress, may have pay fee it, depending on use -- check terms , conditions -- it's option , easy implement in php using api. use api key wordpress. com account access. basically, grab whichever php client library takes fancy -- use alex potsides' php5 library -- plug in key, , it's handful of lines of code. here's bare bones of validation straight 1 of live sites: ... if ($akismet) { $akismet->setcommentauthor($name); $akismet->setcommentauthoremail($session->userinfo["email"]); $akismet->setcommentauthorurl(""); $akismet->setcommentcontent($sentence);...
Read more