I'm building a webservice that needs to be accessible to a variety of potential platforms, including a number of older ASP and ASP .NET applications. After some research, I settled on a WCF service with both a REST (webHttpBinding) and SOAP (wsHttpBinding) endpoint (that way, I can support a wide range of platforms and still make the .NET coders happy).
For security, I'm using SSL and HTTP Authentication Basic against my own database of username/passwords. So I've written an HttpModule to handle the usernames and passwords and check for SSL. Now, the REST setup is working perfectly, but I'm having problems with the SOAP endpoint. No matter what settings I use, the SOAP client never sends me a WWW-Authorization header that I can use to authenticate. I'm assuming that setting something like <message clientCredentialType="UserName" />
should tell WCF that I expect an Authorization header, and that information will be picked up by Visual studio (or whatever client) when it creates a web reference. Perhaps I'm just being hopelessly naive.
So to summarize the question: is there any way that I can tell WCF to send me a WWW-Authorization header (ie, an HTTP basic header) along with the soap messages?