Is there some sort of "built-in" authentication in WCF? I need to expose a web service to our clients so they can check status of their transactions.
My initial thought was they would just use their normal Username and Password passed in as method properties. It would be over SSL, of course, but is this method of authentication not secure?
Does WCF have some better way of allowing authentication with the request other than passing through method parameters?
WCF contains a very extensive infrastructure for all kinds of security. Too much for me to explain here but if you are interested in the topic I can really recomend Juval Lowy's Programming WCF Services 2nd edition. Otherwise you can also find the relevant information at http://msdn.microsoft.com/en-us/library/ms735093.aspx but it will be allot more work on your end to figure out the overall picture.
The scenario you are looking into is quite common only most of the times the username and password are passed in the header of the soap message instead of as parameters of the method. There is a article about to implement this over at theserverside.net