Identity Stack Propagation

The second example of using the generic interceptor is about security identity propagation. As explained in Chapter 10, impersonation as a mechanism for identity propagation has many liabilities. Still, sometimes your service is required to pass the identity of the original caller (or all callers) down to the resources or other services with which it interacts. Instead of impersonating the callers or passing their identities as explicit parameters, you can pass the identities out-of-band, in the message headers, and use the generic interceptor to automate processing of those identities.

The first step is to define the stack of callers. To that end, I defined the SecurityCallFrame, which represents a single caller identity as well as some additional information about the caller, such as its address and the operation it invoked:

[DataContract]
public class SecurityCallFrame
{
   [DataMember(IsRequired = true)]
   public string Authentication
   {get;}

   [DataMember(IsRequired = true)]
   public string IdentityName
   {get;}

   [DataMember(IsRequired = true)]
   public string Address
   {get;}

   [DataMember(IsRequired = true)]
   public string Operation
   {get;}

   //More members
}

Next, I defined the security call stack:

[DataContract]
public class SecurityCallStack
{
   internal void AppendCall(  );

   public SecurityCallFrame OriginalCall
   {get;}

   public int Count
   {get;}

   public SecurityCallFrame[] Calls
   {get;}

   //More members
}

The implementation details of these types are irrelevant for this appendix. ...

Get Programming WCF Services, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.