Does WCF UserNamePasswordValidator require checking PrimaryIdentity.IsAuthenticated?

By : Jesse

Currently I have a service that uses a UserNamePasswordValidator to authenticate the client user. The code for the validation goes as follows:

  public override void Validate(String userName, String password)
      if (userName == null) || (password == null)
          throw new FaultException("Username and/or password not specified.");
      if (userName != "test") && (password != "tset")
          throw new FaultException("Invalid username and/or password.");

As you can see, the code will always throw an exception when something is wrong.

Now for the question - Is there any reason I should check whether ServiceSecurityContext.Current.PrimaryIdentity.IsAuthenticated is true inside my OperationContract functions? For example,

  public interface IMyService
      void myOpContract();

  public class MyService : IMyService
      public void myOpContract()
          // Do I really need this conditional statement?
          if (ServiceSecurityContext.Current.PrimaryIdentity.IsAuthenticated)
              // Proceed as expected
              // Fail?

Any help would be greatly appreciated.

By : Jesse


From several comments in this article - Silverlight 3: Securing your WCF service with a custom username / password authentication mechanism and from various tests - the if ([...]PrimaryIdentity.IsAuthenticated) section is not required. Throwing a fault inside the UserNamePasswordValidator does the trick of aborting the security negotiation.

However, one excellent idea on behalf of the author is that leaving the if ([...]PrimaryIdentity.IsAuthenticated) conditional statement in place helps if in the future a new binding (connection type) is added with no security.

By : Jesse

This video can help you solving your question :)
By: admin