Click here to Skip to main content
14,422,059 members

WCF REST 4.0 Authorization with Form Based Authentication (SetAuthCookie)

Rate this:
4.88 (24 votes)
Please Sign up or sign in to vote.
4.88 (24 votes)
19 Mar 2013CPOL
How to create custom authorization policy and return HTTPContext Identity for authorization.


Windows Communication Foundation provides tons of methods to authenticate users' check for authorization based on the service type that it's quite confusing to implement simple form based authentication and role based authorization for WCF REST 4.0.

Note: This article assumes that the WCF REST service is hosted with the ASP.NET application and shares the same web.config. Make sure that Form Authentication is enabled in the web.config file.


There are many ways to authenticate and authorize a user in a WCF Service, but in this example, the authentication cookie will already be created by the login page and that will be used by subsequent requests made to the REST service for authorization.

Using the Code

A typical way to authorize a user for a specific role is to use the Principal Permission attribute. Something like this:

WebGet(UriTemplate = "")]
[PrincipalPermission(SecurityAction.Demand, Role="Admin")]
public List<SampleItem> GetCollection(){} 

But even though after the user is authenticated using Membership provider and HTTPContext.Current.User.Identity and the context is available at service level, the principal permission attribute always throws a security exception.

The reason for that is the principal permission attribute checks for System.Threading.Thread.CurrentPrincipal.Identity and not for the HTTPContext Identity.

To solve this problem, we have to create a Custom Principal and Authorization Policy for the WCF Service. Then this policy will be hooked with the WCF REST Service using ServiceBehaviour.

Custom Principal

Here is the code for the custom principal:

public class CustomPrincipal: IPrincipal
    private IIdentity _identity;
    public IIdentity Identity
            return _identity;

    public CustomPrincipal(IIdentity identity)
        _identity = identity;

    public bool IsInRole(string role)
        return Roles.IsUserInRole(role);

Here the ASP.NET Membership Role provider is used to verify if the user is in a particular role or not. We can have our custom implementation that does not use the Membership provider.

Authorization Policy

Now create an Authorization policy that sets the Custom Principal to the evaluation context:

public class AuthorizationPolicy : IAuthorizationPolicy
    string id = Guid.NewGuid().ToString();

    public string Id
        get { return; }

    public System.IdentityModel.Claims.ClaimSet Issuer
        get { return System.IdentityModel.Claims.ClaimSet.System; }

    // this method gets called after the authentication stage
    public bool Evaluate(EvaluationContext evaluationContext, ref object state)
        // get the authenticated client identity
        IIdentity client = HttpContext.Current.User.Identity; 
        // set the custom principal
        evaluationContext.Properties["Principal"] = new CustomPrincipal(client);

        return true;

If you look closely, the custom principal is created using the HTTPContext Identity that was created after the user is authenticated using membership provider and the authentication cookie is set after validating the user. Something like this:

FormsAuthentication.SetAuthCookie(username, false);

Attach Authorization Policy to WCF

This can be done by creating a service behavior in the web.config file. But here, I have created a custom service behavior by implementing IServiceBehavior and attaching the authorization policy to it.

public class SecurityBehaviorAttribute : Attribute, IServiceBehavior
    public void ApplyDispatchBehavior(ServiceDescription serviceDescription, 
    	System.ServiceModel.ServiceHostBase serviceHostBase)
        List<IAuthorizationPolicy> policies = new List<IAuthorizationPolicy>();
        policies.Add(new AuthorizationPolicy());
        serviceHostBase.Authorization.ExternalAuthorizationPolicies = 

        ServiceAuthorizationBehavior bh =
        if (bh != null)
            bh.PrincipalPermissionMode = PrincipalPermissionMode.Custom;
            throw new NotSupportedException();

    public void AddBindingParameters(ServiceDescription serviceDescription, 
    	System.ServiceModel.ServiceHostBase serviceHostBase, 
    	System.Collections.ObjectModel.Collection<ServiceEndpoint> endpoints, 
    	System.ServiceModel.Channels.BindingParameterCollection bindingParameters) { }

    public void Validate(ServiceDescription serviceDescription, 
    	System.ServiceModel.ServiceHostBase serviceHostBase) { }

Here, ServiceAuthorizationBehavior PrincipalPermissionMode is set to Custom and the Authorization policy is added to the servicehost.

Service Code

Make sure that the service behavior is added as an attribute to the service class.

[AspNetCompatibilityRequirements(RequirementsMode = 
[ServiceBehavior(InstanceContextMode = InstanceContextMode.PerCall)]
public class Service1  {
    [WebGet(UriTemplate = "")]
    [PrincipalPermission(SecurityAction.Demand, Role="Admin")]
    public List<SampleItem> GetCollection()
        var value =  System.Web.HttpContext.Current.User.Identity.IsAuthenticated;
        return new List<SampleItem>() { new SampleItem() 
			{ Id = 1, StringValue = "Hello" } };

That's all. Now we can add the PrincipalPermission attribute to any web method and authorize the user for a specific role. We can also implement a custom PrincipalPermission attribute to control the granularity of authorization.

Note: We can also create an Authentication service to validate the user name password and create an authentication cookie after validation. Here, the assumption is that WCF REST is hosted with the Web application and therefore shares the context.

Let me know if there is any better way to achieve the same thing without providing user name and password at each request.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Anupama Agarwal
India India
I work as a freelance consultant and is passionate about taking challenges in latest technology.
I am a solution architect and trainer with 9+ years experience in designing, developing and maintaining enterprise wide application using latest technology like SharePoint 2010, MOSS 2007, Business Intelligence, SQL Server 2008, Reporting Service, Analysis Service and Integration service.

Comments and Discussions

QuestionHow to implement JWT on WCF REST API Pin
Nagen011-Aug-18 7:19
MemberNagen011-Aug-18 7:19 
QuestionThank you for your great article Pin
Member 1330524021-Aug-17 21:49
MemberMember 1330524021-Aug-17 21:49 
GeneralMy vote of 2 Pin
Nirosh20-Jun-14 0:18
professionalNirosh20-Jun-14 0:18 
Questionsome difficulty implementing Pin
noncitizen2-Jun-14 5:04
Membernoncitizen2-Jun-14 5:04 
AnswerRe: some difficulty implementing Pin
Anupama Agarwal2-Jun-14 6:34
MemberAnupama Agarwal2-Jun-14 6:34 
GeneralRe: some difficulty implementing Pin
noncitizen3-Jun-14 5:41
Membernoncitizen3-Jun-14 5:41 
AnswerRe: some difficulty implementing Pin
noncitizen3-Jun-14 5:32
Membernoncitizen3-Jun-14 5:32 
GeneralRe: some difficulty implementing Pin
Anupama Agarwal3-Jun-14 19:37
MemberAnupama Agarwal3-Jun-14 19:37 
GeneralMy vote of 1 Pin
dave_dv7-Oct-13 4:25
Memberdave_dv7-Oct-13 4:25 
QuestionRequest for principal permission failed Pin
yahav_g16-Jul-13 0:51
Memberyahav_g16-Jul-13 0:51 
QuestionThanks!! Pin
paulopez27-Apr-13 0:06
Memberpaulopez27-Apr-13 0:06 
GeneralMy vote of 5 Pin
Prasad Khandekar20-Mar-13 23:19
professionalPrasad Khandekar20-Mar-13 23:19 
QuestionVisual Studio 2012 Pin
Nejimon CR19-Mar-13 8:38
MemberNejimon CR19-Mar-13 8:38 
AnswerRe: Visual Studio 2012 Pin
Anupama Agarwal22-Mar-13 22:13
MemberAnupama Agarwal22-Mar-13 22:13 
GeneralRe: Visual Studio 2012 Pin
Nejimon CR23-Mar-13 5:41
MemberNejimon CR23-Mar-13 5:41 
QuestionLogin as service Pin
shivendra.kush15-Feb-13 19:28
Membershivendra.kush15-Feb-13 19:28 
AnswerRe: Login as service Pin
Anupama Agarwal22-Mar-13 22:12
MemberAnupama Agarwal22-Mar-13 22:12 
QuestionNice solution Pin
Abbath134924-Dec-12 8:00
MemberAbbath134924-Dec-12 8:00 
AnswerRe: Nice solution Pin
Anupama Agarwal25-Dec-12 9:37
MemberAnupama Agarwal25-Dec-12 9:37 
Questiongood solution! Pin
antares763-Dec-12 1:35
Memberantares763-Dec-12 1:35 
GeneralMy vote of 5 Pin
sandippatil19-Sep-12 22:45
Membersandippatil19-Sep-12 22:45 
GeneralMy vote of 5 Pin
mrwh12-Apr-12 11:48
Membermrwh12-Apr-12 11:48 
GeneralSimple Authentication implementation Pin
Member 4049653-Jan-12 20:29
MemberMember 4049653-Jan-12 20:29 
GeneralMy vote of 5 Pin
nilu200426-Dec-11 2:06
Membernilu200426-Dec-11 2:06 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Posted 25 Dec 2011

Tagged as


50 bookmarked