WCF WebHttp Mixed Authentication (Basic AND Anonymous)

Question

All of this is pertaining to WebHttp binding, hosted in a custom Service Host (IIS is not an option at this time).

I've implemented a custom UserNamePasswordValidator, and a custom IAuthorizationPolicy. When I configure the endpoint's binding to use Basic authentication, everything works just as I'd like (custom principal, custom roles, etc..).

I'd like to add the ability for anonymous HTTP access as well, and have my custom implementations put the Anonymous user in some default roles, etc.. (if no Authenticate header is sent).

What happens now is that anonymous users are given a 401 before any of my custom code is hit. If I turn off the HTTP Basic authentication requirement, then the Authenticate header is ignored altogether.

How do I configure, or inject an Authenticate header, to do this both ways (without creating 2 separate endpoints)?

Answer 1

First of all, the service responds correctly to the anonymous call, according to the specification.

Second, this is impossible. When you are self-hosting your service and you have some http binding, WCF will use a System.Net.HttpListener instance to be able to respond to http requests (created in System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen). This listener has a method called HandleAuthentication that is called way before any of your custom code is called. It is responsible for sending back the 401 response with the challenge (WWW-Authenticate). There is nothing you can do about this. If there is, I'd like to know.

So you're left with the following options:

• two endpoints
• configure your clients to know the default credentials
• change your clients so they can respond to the challenge