What should you do?

You are developing a Windows Communication Foundation (WCF) service. The service needs to access out-of-process resources.
You need to ensure that the service accesses these resources on behalf of the originating caller. What should you do?

You are developing a Windows Communication Foundation (WCF) service. The service needs to access out-of-process resources.
You need to ensure that the service accesses these resources on behalf of the originating caller. What should you do?

A.
Set the value of ServiceSecurityContext.Current.WindowsIdentity.ImpersonationLevel to TokenlmpersonationLevel.Impersonation

B.
Set the value of ServiceSecurityContext.Current.Windowsldentity.ImpersonationLevel to TokenlmpersonationLevel.Delegation

C.
Set the PrincipalPermissionAttribute on the service contract and
update the binding attribute in the endpoint element of the configuration file to wsHttpBinding

D.
Set the PnncipalPermissionAttribute on the service contract and
update the bindingConfiguration attribute in the endpoint element of the configuration file to wsHttpBinding

Explanation:
Impersonation is a common technique that WCF services use to assume the original caller’s identity in order
to authorize access to service resources (such as files or database tables).
Service resources can be resources that are either local to the service machine or remotely hosted.
Impersonation is used to access resources on the same machine as the service, while delegation is used to access resources that are remotely hosted.

By default, impersonation is disabled and resources are accessed by using the WCF service’s process identity.
Impersonation allows you to access local resources and perform other operations using the authenticated user’s identity
or a specific Windows identity. You can enable impersonation either programmatically or by applying appropriate attributes at operation or service levels.

You can impersonate imperatively or declaratively. Imperative impersonation is performed programmatically at run time and can vary depending
on business logic or other conditions. Declarative impersonation is applied with a static attribute that can be associated with an operation or an entire interface.
In general, you should use imperative impersonation when you need the fine granularity made possible by writing the impersonation logic into your code.
If you do not need such fine granularity, you can use declarative impersonation.

Delegation allows you to use an impersonation token to access network resources. Your ability to use delegation depends
on the authentication mechanism in use and appropriate account configuration.

Delegation and Impersonation with WCF
(http://msdn.microsoft.com/en-us/library/ms730088%28v=VS.90%29.aspx)



Leave a Reply 4

Your email address will not be published. Required fields are marked *


Mixxa

Mixxa

Delegation: The server process can impersonate the client’s security context on “remote” systems. Impersonation: The server process can impersonate the client’s security context on its “local” system. The server cannot impersonate the client on remote systems.

John Galt

John Galt

This could very well be A or B. The problem is that the question doesn’t specify whether ‘out-of-process’ resources reside on ‘local’ or ‘remote’ system. If they’re on ‘local’ system then Impersonation will work, if they’re on remote system then ‘Delegation’ has to be used.

I hate these imprecise questions where you have to guess what they meant. I personally will go with Delegation, just because it will work in both cases.