MVC2 Apps (and others) sharing WCF services and authentication

I've seen several similar scenarios explained here but not my particular one. I wonder if someone could tell me which direction to go in?

I am developing two (and more later) MVC2 apps. There will also be another (thicker) client later on (WPF or Silverlight, TBD). These all need to share the same authentication. For the MVC2 apps they (preferably) need to be single log on - ie if a user logs in to one MVC2 app, they should be authorised on the other, as long as the cookie hasn't timed out.

Forms authentication is to b开发者_运维百科e used.

All the apps need to use common business functionality and perform db access via a common WCF Service App. It would be nice (I think) if the WCF is not publicly accessible (ie blocked behind FW). The thicker client could use an additional service layer to access the Common WCF App.

What this should look like is:

MVCApp1 -> WCFAppCommon

MVCApp2 -> WCFAppCommon

ThickClient -> WCFApp2 -> WCFAppCommon

Is it possible to carry out all the authentication/authorization in the WCFAppCommon? Otherwise I think I'll have to repeat all the security logic in the MVCApps and WCFApp2, whereas, to me, it seems to sit naturally in WCFAppCommon. On the otherhand, it seems if I authenticate/authorize in WCFAppCommon, I wouldn't be able to use Forms Authentication.

Where I've seen possible solutions (that I haven't tried yet) they seem much more complex than Forms Authentication and a single DB.

Any help appreciated,

Phil

I thought I should come back to this with what I've learned (and re-learned).

First the re-learned lesson - don't become fixed on an architecture and then try and make everything else fit. I'm fixed on .Net, SQL Server, WCF, MVC2, EF4, and IIS7. Fixing in my mind how I want these to fit together is slighly dumb! Better to go out and look at what guidance exists.

Which brings me to what I learned - here's a link:

http://wcfsecurityguide.codeplex.com/

I discounted this article a couple of times because it's a bit dated. However, I'd say it's actually very relevant and if you're starting a project remotely concerned with securing services go take a look. Part IV had everything I needed.

We are using WCF Web Application hosting Reporting system (we are accessing it from Silverlight) and since it's using same machine keys as our MVC application - we can share cookie authentication as well.

Otherwise, you have to send authentication ticket (custom or not) to your WCF application.