All of this is pertaining to WebHttp binding, hosted in a custom Service Host (IIS is not an option at this time).
I've implemented a custom UserNamePasswordValidator, and a custom IAuthorizationPolicy. When I configure the endpoint's binding to use Basic authentication, everything works just as I'd like (custom principal, custom roles, etc..).
I'd like to add the ability for anonymous HTTP access as well, and have my custom implementations put the Anonymous user in some default roles, etc.. (if no Authenticate header is sent).
What happens now is that anonymous users are given a 401 before any of my custom code is hit. If I turn off the HTTP Basic authentication requirement, then the Authenticate header is ignored altogether.
How do I configure, or inject an Authenticate header, to do this both ways (without creating 2 separate endpoints)?