I have a WCF service set up, which currently implements an IAuthorizationPolicy and UserNamePasswordValidator, which, by themselves, are currently working to a basic degree.
It has been implemented into my web.config like so:
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="SecureService.CustomUsernamePasswordValidator, SecureService"/>
</serviceCredentials>
<serviceAuthorization principalPermissionMode="Custom">
<authorizationPolicies>
<add policyType="SecureService.MyAuthorization, SecureService"/>
</authorizationPolicies>
</serviceAuthorization>
What this is currently doing is validating the credentials in the UsernamePasswordValidator, and then retrieving the roles by checking the database for said user in a different call.
The issue I am having is that my 'database call' is a call to another application, where the calls themselves take about a second each. Therefore, I'd like to both authenticate and authorize with a single call.
The only possibility I have thought of is to put the logic entirely in the IsInRole function, which is currently set up as so:
public bool IsInRole(string role)
{
PopulateUserRoles();
return _roles.Contains(role);
}
My question is - is there a standard way to achieving this? And if not, is this a safe way to do both at once?