2

I am creating a distributed application which will use ASP.NET Web API to support a Single-Page web Application (SPA) and other potential native mobile app platforms. My current architecture uses Thinktecture Identity Server as a STS which will provide authorization tokens for my clients to use to access the WebAPI. In the backend I will have persistence and business logic which will be exposed by a WCF service in a separate app domain from my WebAPI. The WebAPI will call the service layer to access data and perform actions on the domain.

My question is around authorization. I will be using Claims Based Authorization and can augment the list of claims from domain data held about the user from my WCF exposed business layer. But where should I carry out the authorization? With .NET 4.5, ASP.NET now has an extensible model to enable me to separate out authorization logic from my controllers into a separate authorization module - using the ClaimsAuthorizationManager. Also, Thinktecture.IdentityModel does a really good job of providing all the plumbing to do this within my WebAPI application. However, I cannot help thinking that the authorization logic should be sitting in my business layer, behind the WCF service, and that the client-facing WebAPI should not be tasked with enforcing this. Should I require other client facing hosted apps to consume my WCF based business layer, then they would also need to implement security code. On the downside, it does mean that an unauthorized request gets quite far into the application before being rejected.

Question: should I use the Claims based authorization capabilities in ASP.NET or should I wrap authorization around my business layer behind the WCF service?

Improve this question
1
  • If you will access your services only via your asp.net web, it'll be easier to have your asp.net handle authorization, to avoid service requests. And if you will be accessing your services by other consumers, I believe it'll be more solid as your services handle the authorization. Commented Sep 30, 2013 at 23:05

1 Answer 1

Reset to default
1

When possible, you should always try to use the authorization tools the framework you use gives you. In Microsoft's case, it's claims-based authorization. The benefit is that you're isolating your authorization logic in a layer of its own rather than within your business logic.

Claims-based authorization is one of many approaches to authorization. Another would be to use XACML. I recently gave a talk on XACML for developers (albeit Java developers). You can read more about it here. I also wrote an article on .NET and XACML which you can check out here.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Yes, I agree absolutely that I should use the framework tools - and the .Net 4.5 with MVC will assist me in isolating the logic. This is important as my authorisation logic will be very fine-grained. Keeping this complexity in one place will minimise dependency and facilitate maintenance. My concern was about where in architecture it should sit. @Esteban I guess has distilled the problem - it comes down to how I wish to extend the system in the future - if it is only ever going to be a WebAPI then why not use the WebAPI Authz. I guess XAMCL addresses this by separating concerns
To your first point, here's a Microsoft link that explains how to use claims-based authorization: msdn.microsoft.com/en-us/library/hh291068.aspx

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.