Does WCF UserNamePasswordValidator require checking PrimaryIdentity.IsAuthenticated?

By : Jesse
Source: Stackoverflow.com
Question!

Currently I have a service that uses a UserNamePasswordValidator to authenticate the client user. The code for the validation goes as follows:

  public override void Validate(String userName, String password)
  {
      if (userName == null) || (password == null)
          throw new FaultException("Username and/or password not specified.");
      if (userName != "test") && (password != "tset")
          throw new FaultException("Invalid username and/or password.");
  }

As you can see, the code will always throw an exception when something is wrong.

Now for the question - Is there any reason I should check whether ServiceSecurityContext.Current.PrimaryIdentity.IsAuthenticated is true inside my OperationContract functions? For example,

  public interface IMyService
  {
      [OperationContract]
      void myOpContract();
  }

  public class MyService : IMyService
  {
      public void myOpContract()
      {
          // Do I really need this conditional statement?
          if (ServiceSecurityContext.Current.PrimaryIdentity.IsAuthenticated)
              // Proceed as expected
          else
              // Fail?
      }
  }

Any help would be greatly appreciated.

By : Jesse


Answers

From several comments in this article - Silverlight 3: Securing your WCF service with a custom username / password authentication mechanism and from various tests - the if ([...]PrimaryIdentity.IsAuthenticated) section is not required. Throwing a fault inside the UserNamePasswordValidator does the trick of aborting the security negotiation.

However, one excellent idea on behalf of the author is that leaving the if ([...]PrimaryIdentity.IsAuthenticated) conditional statement in place helps if in the future a new binding (connection type) is added with no security.

By : Jesse


This video can help you solving your question :)
By: admin