ansaurus

Question

Answer 1

A:

One way to go about this is through a Generic that becomes your response wrapper, and a helper function to check the authentication like so:

[DataContract]
public sealed class AuthenticatedRequest<T> {
    [DataMember(Order=0)]
    public string SessionToken {get; set;}

    [DataMember(Order=1)]
    public T RequestBody {get; set; }

    public static bool IsAuthenticated () {
        . . .
    }
}

Justin Dearing 2010-08-29 10:36:47

Doing this would violate the constraints of a RESTful system.

Darrel Miller 2010-08-29 12:38:33

What particular constraint would it violate?

Justin Dearing 2010-08-29 14:07:03

Requests must be stateless. Maintaining a session on the server is a violation of that constraint. If that returned token is resent with every request and is used solely to confirm authentication then the impact on scalability and self-descriptiveness will be minimal. Just don't start associating other state to that session.

Darrel Miller 2010-08-29 17:53:28

Well you can send the name and password, or a key with every request. The method is still sound.

Justin Dearing 2010-08-30 16:15:42

Answer 2

+2 A:

Requests in a RESTful system are stateless and therefore you are required to re-authenticate on every request.

I suggest you use HTTP Basic Authentication and if that is not sufficient for your scenario then perhaps you can do HTTP Basic Authentication over HTTPS.

Darrel Miller 2010-08-29 12:37:29

basic/digest authentication is a nice idea, but it has a problem with WCF(only works with windows accounts)

MindFold 2010-08-29 13:09:14

Answer 3

A:

Ok, after looking around i've found the answer, i'm passing a special authentication header, similar to Amazon S3.

its not that simple to build but will allow me to work without SSL and will be stateless and support all clients.

MindFold 2010-08-31 10:19:29

ansaurus

tags:

views:

answers:

REST WCF Authentication

related questions