This project is read-only.

Which classes may I use for filtering and overriding?

Topics: Web Api
Oct 4, 2011 at 4:48 PM


I just discover WCF Web API today, and I am making a little project with forms authentication.

I would like to create something similar to the AuthorizeAttribute from ASP.NET MVC. I would call it WcfFormsAuthorizeAttribute

In the methods that WcfFormsAuthorizeAttribute filter is present, it will look for a valid AUTH cookie, deserialize the IPrincipal derived object, and put it as Thread.CurrentPrincipal and HttpContext.Current.User. If the cookie is not present or valid, then return a HTTP 401.

First problem: I don't know which element should I derive of in order to create WcfFormsAuthorizeAttribute? I have read that there are operations and message handlers, which one would be the best option to accomplish this?

Second problem: FormsAuthentication module overrides the HTTP 401 with a HTTP 302. This is because in web applications, it redirects you to the login page. But in a service this doesn't make sense, so I would like to avoid that overriding. How could I do it?


Oct 4, 2011 at 5:07 PM


First problem: I would recommend an operation handler

Second problem:

1) Decouple authentication from authorization.

2) For authentication, do you want "forms authenciation" (i.e. HTTP 302 to a login form) or "basic authentication"?

Additional resources: (very experimental)



Oct 5, 2011 at 5:08 PM

1) Right. I have created an operation handler that sets the IPrincipal:


    public class WcfAuthorize : HttpOperationHandler
        protected override IEnumerable<HttpParameter> OnGetInputParameters()
            yield break;

        protected override IEnumerable<HttpParameter> OnGetOutputParameters()
            yield break;

        protected override object[] OnHandle(object[] input)
            IPrincipal usr = HttpContext.Current.User;

            if (usr.Identity.IsAuthenticated && usr.Identity.AuthenticationType == "Forms")
                FormsIdentity fIdent = usr.Identity as FormsIdentity;
                MyPrincipal fp = new MyPrincipal(fIdent.Ticket);
                HttpContext.Current.User = System.Threading.Thread.CurrentPrincipal = fp;
                HttpContext.Current.User = System.Threading.Thread.CurrentPrincipal = MyPrincipal.Anonymous;

            return null;

It is executed in all requests, how could I create a handler that only executes in certain methods marked with an attribute?


2) For authentication I want forms authentication, but without the 302 redirection. I have accomplish this with a old fashion IHttpModule, when I see a HTTP 302 redirecting to "noredirect.aspx", I swap it for a HTTP 401. So far, so good, but I would like to know if there is a new way to do things like that.

I am starting to lose hope, there is really nothing like the ASP.NET MVC ActionFilters ?


Oct 5, 2011 at 7:37 PM


a) You can conditional register the operation handler, namely based on the presence of an attribute on the operation. Use operation description for that purpose.

b) I would not attache the principal to HttpContext or CurrentPrincipal. Instead, return the principal from the operation, so that it can be used as an operation parameter.


Oct 6, 2011 at 11:14 AM

Good it worked perfectly, thanks!