Limiting access to a WCF REST (webHttpBinding) Service using the ASP.NET Membership Provider?

Question

I have found a lot of material on the web about using the ASP.NET Membership Provider with the wsHttpBindings, but I haven't seen any reference to using it with webHttpBindings.

I am looking for a system that will work in two scenarios:

1. The user is logged into an asp.net website and the website is making calls to the service.
2. The user accesses the service directly via REST.

Is this possible using the built in framework (i.e. just through configuration)? If so how do I configure the service? And how does the user pass the credentials to the REST service?

Answer 1

ADO.NET Data Services you mean?

You can build a QueryInterceptor for an entity and limit the access to it. For example:

    [QueryInterceptor("foo_entity")]
    public Expression<Func<foo_entity, bool>> FilterMembership()
    {
        MembershipUser user = Membership.GetUser();
        Guid userGuid = (Guid)user.ProviderUserKey;
        return c => c.UserId == userGuid;
    }

Answer 2

The best source I've found is here: http://www.leastprivilege.com/FinallyUsernamesOverTransportAuthenticationInWCF.aspx

The site also has tons of other information about setting up HTTP Modules to handle basic authentication (which I'm guessing you'll be using since it is kind of the standard).

The HTTP Module authentication method is located on Codeplex with sample code and everything here: http://www.codeplex.com/CustomBasicAuth