Forms Authentication for WCF


How to secure my simple WCF service using FormsAuthentication concept ?

The ServiceContract looks similar to this:

[ServiceContract] public interface MovieDb { [OperationContract] string GetData(int value); [OperationContract] string Login(int value); [OperationContract] string Logout(int value); }

I have used FormsAuthentication in my MVC 4 Application for authentication and authorization.

All I could think of is like adding Authorize Filter attribute at the top of the ServiceContract class.

Any pointers in Simple terms in much appreciated. Thanks.


You can secure your WCF using username/password(Forms Authentication):

<a href="http://msdn.microsoft.com/en-us/library/ms731058%28v=vs.110%29.aspx" rel="nofollow">Message Security with a User Name Client</a>

If you decide to use membership for Authentication in WFC configuration on server side you add a behavior configuring the Membership:

<behavior name="myBehavior"> <serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="myRoleProvider"/> <serviceCredentials> <serviceCertificate findValue="*.mycert.net" storeLocation="LocalMachine" x509FindType="FindBySubjectName"/> <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="myMembershipProvidewr"/> </serviceCredentials> </behavior>

Your WCF can be validate as simple as

[PrincipalPermission(SecurityAction.Demand, Role = "My Role")] public bool GetSomething(string param1) { ...

You can find additional information here: <a href="http://msdn.microsoft.com/en-us/library/ff650067.aspx" rel="nofollow">http://msdn.microsoft.com/en-us/library/ff650067.aspx</a>


I know the very useful Authorize keyword in MVC but sofar I didn't find something like that in WCF.

If you are using the WCF service in (and for) the very same IIS application, you might want to write an own implementation of the Authorize keyword, but then for WCF. You can refer to the HttpContext to look whether the request is autorized or not.

Some extra information can be found here:

<a href="https://stackoverflow.com/questions/4641442/does-wcf-have-an-equivalent-of-mvcs-authorize-attribute" rel="nofollow">Does WCF have an equivalent of MVC's [Authorize] attribute?</a>


  • eC (Ecere) how to not worry about private data fields of a class
  • Sum and Average of a series of numbers inputed to a text field
  • including Python.h in C++ file CDT
  • Spring MVC redirect with custom http headers
  • PayPal API Listener Website Payments Standard URI
  • HttpListener.IsSupported is false on XP SP3
  • Why isn't obj.style.left = “200px”; working in this code?
  • Enabling DTD support in Sql Server
  • GAE: Way to get reference to an HttpSession from its ID?
  • Authentication in Play! and RestEasy
  • Does Mobilefirst provide a provision to access web services directly?
  • how to upload multiple files in c# windows application
  • How to handle images sent by a mobile device?
  • Installed module is empty
  • how to display data from 1st point on words on y axis for line chart in d3.js
  • Abort upload large uploads after reading headers
  • How to define and use opencv mat of user type
  • MongoError: Incorrect arguments
  • Record samples being played with OpenAL
  • Django rest serializer Breaks when data exists
  • Change multiple background-images with jQuery
  • NHibernate Validation Localization with S#arp Architecture
  • Algorithm for a smudge tool?
  • How can I send an e-mail from a vbs script
  • Accessing IRQ description array within a module and displaying action names
  • Apache 2.4 and php-fpm does not trigger apache http basic auth for php pages
  • Can Jackson SerializationFeature be overridden per field or class?
  • How to recover from a Spring Social ExpiredAuthorizationException
  • How to redirect a user to a different server and include HTTP basic authentication credentials?
  • using conditional logic : check if record exists; if it does, update it, if not, create it
  • Android Studio and gradle
  • Codeigniter doesn't let me update entry, because some fields must be unique
  • Getting error when using KSoap library to consume .NET web services
  • Getting Messege Twice Using IMvxMessenger
  • Java static initializers and reflection
  • Authorize attributes not working in MVC 4
  • unknown Exception android
  • Observable and ngFor in Angular 2
  • UserPrincipal.Current returns apppool on IIS
  • Unable to use reactive element in my shiny app