Token-Based Authentication in WCF

Question

I am creating a website which will contain both ASP.NET pages and a Flash applet. I want to encapsulate my business logic in a WCF service which will be exposed through two

Answer 1

As it seems the original question has been answered I'll keep this brief, but one approach would indeed be to pass the authentication token in an http header and override CheckAccess(OperationContext operationContext, ref Message message) in a custom ServiceAuthorizationManager .

You will have previously configured the service to use a custom policy that implements IAuthorizationPolicy.

All that remains is to implement simple IIdentity and IPrincipal classes to store your authorization state.

A number of good articles exist on this subject:

http://msdn.microsoft.com/en-us/library/system.identitymodel.policy.iauthorizationpolicy.aspx

http://msdn.microsoft.com/en-us/library/system.servicemodel.serviceauthorizationmanager.aspx

I guess this may still feel like a "roll-your-own" solution, but its at least reassuring when you're following an established pattern. It does have the advantage of black-boxing your authorization code from your service methods.