How to authorise users on an WCF Service hosted in a website

Question

Hi,

I have a WCF service that runs in my web application that provides data to a Silverlight application and is defined as follows (with an appropriate .svc file)....

[ServiceContract(Namespace = "")]       
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
public class DispatchService
{
    [OperationContract]
    public DateTime GetServerTime()
    {
        // Add your operation implementation here
        return DateTime.Now;
    }

The idea is that the user logs into the website and is then authorised for all services. I do not want to have a login aspect to my Silverlight application to authenticate users.

Therefore I dont want anyone to be able to call my service who is not authenticated.

Could I...

1. Somehow determine this for each Operation Contract. I had a look inside the OperationContext object but couldnt find anthing that stood out as a way to determine who the user was.

2. Somehow attribute the ServiceContract so that the method can only be used by authorised users?

3. Put something in my web.config to stop unathorised users from being able to access the folder containing the services?

Your thoughts will be very much appreciated.

Thanks.

Answer 1

Take a look here: Recipe: WCF basicHttpBinding with Windows Authentication.

You could also to place your .svc file into a folder and to deny access to unauthenticated users through <location> tag in your web.config