This project is read-only.

Securing a service

Topics: Web Api
Nov 12, 2010 at 2:51 PM

I am using thw WCF Web Api witin a MVC 3 application. I applied the [Authorize] attribute to a function in the service, but this is not being enforced. How does one go about securing the function or service to authenticated requests only?

Nov 12, 2010 at 3:17 PM

1) Can you be more specific about "WCF Web Api witin a MVC 3 application"? Is the MVC 3 application a client of a service developed with WCF HTTP?

2) Where are you placing the [Authorize] attribute?



Nov 12, 2010 at 3:37 PM

The website is MVC 3 and host a WCF Http service within the same project. The service route registered is:

            var configuration = new WebApiConfiguration();
            routes.AddServiceRoute<TestService>("testservice", configuration);

The function is simply:

        [WebInvoke(UriTemplate = "JsonString/")]
        public List<string> JsonString()
            return new List<string> { "Api string A""Api string B""Api string C""Api string D" };

The URL used in the ajax request is:


The [Authorize] attribute placed on the service method is not enforced as it is within a controller function. Either it's not supported or there is a different attribute or setting I need to used to ensure that the request is allowed only if the user has been authenticated already. basically disallow anonymous.


Nov 12, 2010 at 4:17 PM


The [Authorize] attribute is MVC specific and is not taken into consideration by the WCF runtime.

With WCF, one way is to use the old PrincipalPermissionAttribute. However, take into consideration the following:

How are you authenticating the requestor?


Pedro Félix


Nov 12, 2010 at 4:50 PM

I am using Asp.Net forms forms authentication.

I hoped that the new WCF Web Api bits would play nice within the MVC stack. This does not seem to be the case.

Having limited resources and time in order to pursue this, it's unfortunate that I will have to drop the bits and rather stick to controller actions instead.

Nov 12, 2010 at 8:59 PM


What in particular is not playing well?

As far as dropping the bits, you are seeing bits in a very early state and which currently contain a bunch of prototype stuff which we will be replacing very soon. We went out the door early intentionally to let the community weigh in.

However, I am sorry if you are running into difficulties. Let me know exactly what issues you are seeing with MVC.


Nov 12, 2010 at 9:05 PM

@Glenn - as the sample above shows, I added the MVC "Authorize" attribute to my function in the WCF service. The attribute was however not enforced and the call succeeded even though I was not authenticated.

And I understand 100% about being very early bits. What you showed us at PDC and what I learnt so far is great - and I love it. I think it is making WCF more mainstream friendly and easy to use.

Nov 12, 2010 at 9:12 PM

Great Barone

It is very possible that it is due to the prototype state of the bits. I'll look into it though. Can you do me a favor and add a workitem for this so we can track it?