Authenticating and authorizing users on MVC and WCF

Knowing so little about WCF, ASP.Net and Authentication/Authorization that I'm having a hard time explaining what is bothering me.

I'm using ASP.Net MVC 3 app as a front end for a system I'm developing. This web site talks to a WCF web service and gets all it's info from it.

There will be pre-defined users and each user has unique access (so a action may resolve in info specific to that user). Also the login info for users will be stored开发者_StackOverflow中文版 service side.

Now the question is, how do I handle authentication and/or authorization?

I want users to be able to log in to the website so I guess he will make a validation call over to the webservice and if validated set a forms.authentication cookie client side.

Then if he makes a new request like ChangePassword (unique to him) should I somehow validate him again? Perhaps have created a token for him to send along his request?

Could I perhaps just do all the validation service side even so that the Service knows who the user is and returns only data related to him (without having to specifically mention him in the method call?

Does a service like this differentiate somehow between the authorization of the client web site and the user himself? I mean I want to ensure that both the tool being used is legal and that the action the user is trying to perform is ok.

I'm having a hard time understanding how all this works together and would rather have a explanation on how this works instead of a tutorial on how to do this(like a google search does).

"I'm having a hard time understanding how all this works together "

That's a pretty good summary of WCF. :)

WCF will use membership/role providers for logins. They need to be configured in the serviceModel section of the config file.

Your service's users will use either the username/password properties of the proxy or they will have to generate the ws-security xml config themselves if not using a generated proxy.

I've removed everything but the membership/roles stuff, so this isn't (probably) a working config section.

 <system.serviceModel>
<behaviors>
  <serviceBehaviors>
    <behavior name="MyCompany.Api.Services.WebService.MyProductServiceBehavior">
      <serviceCredentials>
        <userNameAuthentication
        userNamePasswordValidationMode="MembershipProvider"
        membershipProviderName="MyCompanyMembershipProvider" />
      </serviceCredentials>
      <serviceAuthorization principalPermissionMode='UseAspNetRoles' roleProviderName='MyCompanyRoleProvider' />
    </behavior>
  </serviceBehaviors>
</behaviors>
<bindings>
  <basicHttpBinding>
    <binding name="MembershipBinding">
      <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="None" />
        <message clientCredentialType="UserName" />
      </security>
    </binding>
  </basicHttpBinding>
</bindings>
<services>
  <service behaviorConfiguration="MyCompany.Api.Services.WebService.MyProductServiceBehavior" name="MyCompany.Api.Services.WebService.MyProductService">
    <endpoint address="" binding="basicHttpBinding"  bindingConfiguration="MembershipBinding" contract="MyCompany.Api.Services.WebService.IMyProductService" />
  </service>
</services>

Here is an example of using the generated proxy:

        api = new MyProxyService.MyProxyServiceClient();

        api.ClientCredentials.UserName.UserName = userAcct;
        api.ClientCredentials.UserName.Password = password;

        api.MethodCall();