Expose a WCF Service via Forms Authentication in IIS: how can I make the metadata (?wsdl) public, but the operations protected

Question

We've got some WCF services we're hosting via IIS. The application in general uses Forms Authentication, and we'd like to continue making that available for web service clients. We just have a <authorization><deny users="?"> in our web.config and some authentication/redirection goodness that gets everything done.

The problem is we'd like for users to be able to access the metadata for the services without authentication. Can they visit /services/v1/ArtifactService.svc?wsdl anonymously and yet still require authentication for /services/v1/ArtifactService.svc/rest/GetArtifacts?studyId=123? If so, I can't figure out the right incantation in the configuration.

The best I can think of is to set an absolute URL in the metadata service behavior, but then I have to doctor the path on install anywhere we deploy. (<serviceMetadata httpGetEnabled="true" httpGetUrl="http://some/absolute/path"&gt;).

Any ideas?

Answer 1

Can you post a sample of your config with bindings and endpoints?

Not sure if I'm missing something here, but have you tried changing the binding of the mex endpoint to a basicHttpBinding with no security?

Answer 2

I think this is not possible. If you require authorization on the resource by using allow and deny elements you can't specify different authorization level based on url query. You have to control authorization in the service - PrincipalPermission.