My goal is to create a RESTful HTTP API (most likely hosted in IIS) to be used within a company's intranet that hosts Windows machines. The RESTful API will be created using WCF. Consequently, the WCF binding type is webHttpBinding.
Fundamentally, the API consists of various resources e.g. http://domain/service1, domain/service2, etc, each of which should only be accessible to a particular Windows domain group. For example, user Joe, who is in the SERVICE1 group, would be able to GET and POST to /service1, but user Sally would not be authorized since Sally is not in the SERVICE1 group.
What I don't understand is how to tie this web service into Windows Authentication security. How can I utilize Windows authentication available on the intranet to achieve authentication?
Here is an example of the interface I might expect:
[ServiceContract]
public interface IService1
{
[OperationContract]
[WebGet(UriTemplate = "service1/{value}")]
string GetData(string value);
[OperationContract]
[WebInvoke(Method = "POST", UriTemplate = "service1/{value}")]
string PostData(string value);
}
And the web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<services>
<service name="Work.Service1" behaviorConfiguration="Default">
<host>
<baseAddresses>
<add baseAddress="http://localhost"/>
</baseAddresses>
</host>
<endpoint address="" binding="webHttpBinding" contract="Work.IService1"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="Default">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>