ASP.NET to WCF - passthrough security?

Question

I have a MVC website that sits on top of a WCF service. The WCF service is also accessible to the internet with username/password authentication using message security and c

Answer 1

this is very strange architecture. Why to authenticate user twice? Just set up different endpoint (net.pipe) for your MVC and avoid second authentication. If you need to know authenticated user on the service as well you have two choices dependend on the trust to your MVC application:

1. Send the user name as a custom message header. Cons: If a hacker bypass your authentication she can call your service with any user name.
2. Don't authenticate user directly in MVC. Instead always authenticate user in WCF and create custom membership provider for MVC which will call authentication service. The service will also generate token for your authenticated user and each operation will validate that token. Cons: Complexity.

Edit: There is related post with similar question. You can find there another suggestions.