Ticket Q413907
Visible to All Users

How to extend the XPO IDataStore WCF service to pass login credentials from a client app and track user access rights on the server

created 13 years ago

Dear DevExpress team,

in attachment you can find my sample MVVM/SL application with a very basic WCF service which providing IDataStore.
This application has some basic features for selecting, saving and deleting the data via UnitOfWork/DataStoreClient.
Is it possible to extend this WCF service for tracking select, update, insert queries and checking user authentication on the server side?

I examined already different examples and documentation, but unfortunately i could not derive a right solution for my case.

I want extend my sample application to the following scenario:

  1. Client contacts the WCF service by giving information about user. E.g. int UserID = 1
  2. WCF service providing the ICachedDataStore (or IDataStore) for the client and creates a user specific session on the server side
  3. Client sends a request to web service for delete, save, insert or select an object
  4. WCF service checking the UserID/SessionID
    (E.g. IF UserID = 1 then allow data deletion)
    (E.g. IF UserID = 2 then allow data modification)

Would you please give me advice how to extend my wcf service for described situation?
It would be great if you can extend attached sample to some basic templates to help me,
because there are many different examples and I don't know which one is up2date and appropriate for my case.

Thank you in advance!
Alex

Answers approved by DevExpress Support

created 13 years ago (modified 8 years ago)

UPDATED:
XPO does not provide built-in means for securing WCF services. This task is outside the scope of XPO and you can learn more in MSDN about how to best implement it.
To implement your scenario, you can override the IDataStoreWarpService GetService(Guid clientId) method in your service and return a DataStoreService descendant depending on a user. Attached is a sample project that shows how to pass login credentials via WCF message headers using the GlobalDataClientChannelCreated or ClientChannelCreated events of the DevExpress.Xpo.DB > DataStoreClient class.
We hope you find this information helpful.

See Also:
Programming WCF Security
Authentication and Authorization in WCF Services
How to connect to remote data store and configure WCF end point programmatically

    Other Answers

    created 13 years ago (modified 8 years ago)

    Hello,
    The DataStoreService class does not provide any security solution.
    To implement your scenario, you can override the IDataStoreWarpService GetService(Guid clientId) method in your service and return a DataStoreService descendant depending on a user.
    Attached is a modified version of your project that demonstrates this idea.

      Comments (1)

        Hi Dennis,
        thank you very much for your example!
        On the server side your proposal working fine. But what is necessary to change/configure on the client (SetupXPOLayer etc.) side? I tried somehow to provide the user clientId through the XpoDefault.DataLayer configuration, but without success.
        Can you give me advice how i can put the user Id as parameter within SetupXPOLayer, so it will be possible to receive the clientId via TryGetValue method ?
        Thank you in advance!
        Alex
        p.s. Perhaps I'm on the wrong path… :-(

        Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

        Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.