How to Authenticate and Authorize every WCF call?

Question

I have WPF client consuming WCF service hosted in IIS. For authentication I am thinking of either certificate or user name authentication. Client calls couple of methods in WCF and passes some message.

1. For every call that comes to WCF, I want to authenticate the user.
2. To place message in db, I have to know who is the caller, what is their username and few other properties about the user. How to pass these info[may be a small object] on every call?

Answer 1

This is the recommended default behavior - each call to the WCF service gets a new instance of the service, and each call is authenticated and authorized.

Just make sure not to enable things like session mode in WCF, and don't go down the path of a WCF singleton.

Just keep a regular, standard "per-call" WCF service - no issue there.

If you're on a corporate LAN, you could also think about using Windows credentials for authentication (which is the default for wsHttpBinding and netTcpBinding).

There's a really extensive WCF Security Guide which has tons of samples and how-to guides on how to set up certain scenarios of WCF security.

I would also recommend you check out The Fundamentals of WCF Security for a great intro to WCF and its security mechanisms.

A bit more advanced is the idea of Declarate WCF Security in which Juval Lowy introduces five security scenarios (that's a very worthy read!) and encapsulates them into security attributes to be applied to your service contract(s).