Require credentials for some methods only in WCF web service

Question

I have a UserAccountService with different methods, some of which require the user to be authenticated (e.g. ChangePassword, ChangeUserData) and some not (RegisterUser).

However it seems I can't seem to get it to work, so that only some methods require authentication.

The methods that require authentication are decorated with

[PrincipalPermission(SecurityAction.Demand, Authenticated = true)]

In my app.config I have a binding specified which uses encryption and requests UserName credentials:

    <binding name="authenticatedBinding">
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName" />
      </security>
    </binding>

(I am using basicHttpBinding)

I also have a custom authentication provider configured:

      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="..." />
      </serviceCredentials>

With this configuration I can't seem to call any methods on the service without being authenticated.

If I leave out the security configuration, then I can call the methods that don't require authentication, but the message credentials are no longer being transported.

How do I have to configure my service, so that it allows all methods to be called and only requires the username/password to be set when the PrincipalPermission demands it?

I am using Silverlight as my client, if that's important...

Thanks!

Answer 1

Security settings can be fine grained at end-point level but not within a contract - so you cannot combine secure & unsecure methods in a way that you desired. I will suggest that

1. You break up your service contract (interface) in two parts - one for unsecure methods. And second that will inherit from unsecured part and will contains operations that needs to be secured.
2. You service implementation need not change (as it should been implementing secured interface) - all you need to do is to expose this implementation as two different contracts (on secured and another unsecured) at two different end-point. You need to lock down the endpoint with secured contract with whatever security configuration that is needed.
3. Unfortunately, from client perspective, you have to switch the end-point/URL at the authentication boundary i.e. till user is authenticated, you can use unsecured end-point but once, it authenticated, client may use any end-point.