WCF - UserNamePasswordValidator

WCF - UserNamePasswordValidator

Old forum URL: forums.lhotka.net/forums/t/7867.aspx


Swylix posted on Sunday, October 25, 2009

Hi,

I was wondering why in the ProjectTracker-App, in the PTWCFServiceAuth in the Credentialvalidator, the validate consult each time the database. Can I not just like the PrincipalPolicy, consult the PrincipalCache? => and so avoid database consults.
=> because when I debug the application, after the first addproject, there is already an "pm" IPrinicpal in the PrincipalCache
=> With the consequence, that you first need to ask an access token (by an extra call), wich you must delevir with each request. The token contains an expiration time. When the token is expired, you need to request a new token.

Just for the record, in the AddProject of the PTService is mentionned:
// TODO: comment out the following if using the
// PTWcfServiceAuth components to require a
// username/password from the caller
//ProjectTracker.Library.Security.PTPrincipal.LoadPrincipal("pm");
=> It's probally due to a lack of my English. But, when you use the custom validation, the line ...LoadPrincipal must be "IN" comment?

Kind Regards,
Tanguy

RockfordLhotka replied on Sunday, October 25, 2009

You could choose to have CredentialValidator check PrincipalCache, yes.

I chose not to do that, because that could prevent the app from dectecting that a user's credentials were removed from the security database - at least until the cache flushed (and you can't really know when that'll happen).

The comment is right - LoadPrincipal is used to work around the fact that the custom validation isn't setting the principal. If you are using custom validation, the principal is already set before your service method is invoked, so there's no need to set the principal in each service method.

This LoadPrincipal call is really here so I can use this app as a demo when presenting on CSLA - because I don't always have the time to get the certs set up and registered on every machine where I'm doing a demo, and so I can't always use custom validation.

Swylix replied on Sunday, October 25, 2009

thx, for quick response Rocky.

I could provide an extra call to flush the cache when the credentials of a specified user is changed.
=> my worry is, when my service must threat +30.000 requests a day, and each time consult the roles, i will lose perfomance.

Even on a Sunday evening, CSLA Rocks!!!

Copyright (c) Marimer LLC