none
Enforcing sync scope in server side WCF code for security RRS feed

  • Question

  • I'm just begging to learn MSF and am not sure yet if one of my requirements can be met.  Here's an example scenario.  I have a customer table, with a related table called orders.  When a client syncronizes data with the central db, I want it only to sync the records from orders that related to the logged in customer.  To make this robust, I want the enforcement of this filter to occur on the server side (WCF service) to ensure that the soap message could not be tampered with to gather data from another customer.  Is this feasible?  What should I be looking at to accomplish this?

    Thanks!
    Jim
    Friday, February 5, 2010 8:15 AM

Answers

  • Jim, if you are using the Sync services for ADO.NET providers - DbServerSyncProvider and SqlCeClientSyncProvider, then what Joel says applies.
    If you are using the Sync framework providers - SqlSyncProvider and SqlCeSyncProvider, then my comments above apply.
    This posting is provided AS IS with no warranties, and confers no rights
    Wednesday, February 10, 2010 1:45 AM

All replies

  • Yes it is.

    I guess you have some sort of authentication of your customers. If you add this as an extra argument to the GetChanges method in your SynchronizationService.
    When you have authenticated the user you can add it as a sync parameter to your syncSession; make sure that there isn't another sync prameter with the same parameter name.

    if (syncSession.SyncParameters.Contains("@user_id"))
    {
        syncSession.SyncParameters["@user_id"].Value = sessionSettings.UserID;
    }
    else
    {
        syncSession.SyncParameters.Add("@user_id", sessionSettings.UserID);
    }



    Then you use this parameter in your  sync provider to filter what data that should be sent to the client.
    • Marked as answer by JimJalinsky Saturday, February 6, 2010 1:46 AM
    • Unmarked as answer by JimJalinsky Tuesday, February 9, 2010 11:30 PM
    Friday, February 5, 2010 5:22 PM
  • Thanks for the answer Joel, but I've found some info that seems to be contradictory to your answer. To Quote MSF team member Mahesh Dudgikar from thread http://social.microsoft.com/Forums/en-US/uklaunch2007ado.net/thread/3f755732-ec74-4ccf-9b22-0fa8de0d4bcc ...


    "Also, dynamic filtering is possible, but you would need to have as many scopes as you have the number of users. Currently this is the design limitation and we are working on making this story better and easy for the customers in the next release."

    It seems like you were saying I can enforce scope entirely on the server side by using context data I get from my authentication mechanisms to create query parameters.  That thread is saying that you need to have a separate scope defined for each user of the application in order to sync a different subset of data to each user.

    It seems like what I'm looking for is a fairly standard scenario in any real world sync application.  Does it really require some design time changes to simulate dynamic filters?

    Thanks!
    Tuesday, February 9, 2010 11:35 PM
  • Jim, if you are using the Sync services for ADO.NET providers - DbServerSyncProvider and SqlCeClientSyncProvider, then what Joel says applies.
    If you are using the Sync framework providers - SqlSyncProvider and SqlCeSyncProvider, then my comments above apply.
    This posting is provided AS IS with no warranties, and confers no rights
    Wednesday, February 10, 2010 1:45 AM