Are requests to a WCF service hosted by WAS authenticated by IIS processing pipeline or ...?

Question

Following questions assume we're hosting in WAS a WCF service side by side with Asp.Net:

"When hosting WCF side by side with Asp.Net - The WCF hosting infrastructure intercepts WCF requests when the PostAuthenticateRequest event is raised and does not return processing to the ASP.NET HTTP pipeline. Modules that are coded to intercept requests at later stages of the pipeline do not intercept WCF requests."

"With side-by-side configuration, the WCF hosting infrastructure intercepts WCF messages and routes them out of the HTTP pipeline"

a) Assuming WAS receives a request for a WCF service, will WCF's authentication mechanism ( Windows, MembershipProvider or Custom authentication ) be invoked when PostAuthenticateRequest event is raised, or will WCF authenticate a request only after it routes the request out of the HTTP pipeline? In other words, is WCF's authentication mechanism working outside of IIS's processing pipeline?

b) If WCF's authentication mechanism is working outside the IIS processing pipeline, then I assume FormsAuthenticationModule isn't involved with authenticating the WCF client ( assuming service is using forms authentication )?

c) Also, if WCF's authentication mechanism is working outside the IIS processing pipeline, then I assume IIS/WAS must be configured for anonymous authentication, even if service is authenticationg clients using windows authentication?

d) Would answers to my above question be any different if WCF service was hosted by IIS7 ( besides the fact that service must only use endpoints that communicate over HTTP protocol )?

Thank you

Answer 1

I would recommend implementing a technical spike project.

At the core you can always implement a codeaccessattribute to secure your operationcontracts.

You can start by applying PrincipalPermission (built in) where you set IPrincipal on Thread.CurrentPrincipal (constructor of your wcf service) when hosted in IIS you can set HttpContext.Current.User however HttpContext will be null in your case. To use PrincipalPermission you will need to have your own ability to create/implement IPrincipal.

Answer 2

I can only answer part D and part of B, but this may be enough to address the problem you are trying to solve: if you host the WCF service inside an ASP.Net application, then Forms Authentication is supported IF you enable ASP.Net compatibility in the WCF service. We use this method extensively with our Silverlight applets.

This is a two-step process:

1) Decorate your WCF service implementing class with the AspNetCompatibilityRequirements attribute (vb.net code below):

<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Allowed)> _

2) Add the following entry to your <system.servicemodel> section in web.config:

<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />