WCF in IIS: basic authorization performed by WCF

Question

I am hostin WCF service in IIS and I am using basic authorization. As IIS is performing the authorization, my WCF service has no ability to tell if particular user is allowed or not. Unfortunately, I have to support a list of enabled user names. The service and the metadata must be available only for the users on the list, and not the others. How is this possible, using only basic authorization? Message authorization is not an option, as I have no control on the service consumers.

Clarification: I can assign Windows users to the service, restricting access to specific group. What I want to achieve is to allow the service programatically restrict access to specific users. The naive approach using UserNamePasswordValidator can not be used, since IIS is performing the authentication on its own.

Answer 1

Seems to me like you might be confusing two separate concerns:

When using transport security with WCF in your case, IIS will do the Authentication. This is only validating that the specified username/password is a valid combination in the authentication context (local machine or domain).

However, what you want to do is use Authorization to control if the authenticated user has access to your service or not. This is a separate concern where WCF does have control over this. What you want to do is setup an authorization policy that grants access to the service to only those users you want.

By default, this would be done based on Windows Group membership, but if that is not a good fit for your scenario, you can customize how that happens at the WCF level, for example using the ASP.NET Role Membership provider, or even with a custom role provider.

The following two articles should point you in the right direction:

• http://msdn.microsoft.com/en-us/magazine/cc948343.aspx
• http://msdn.microsoft.com/en-us/library/ms731306%28v=vs.110%29.aspx