I have a WCF service that uses ServiceAuthorizationBehavior for ASP.NET role based authentication of a WCF service. It works fine in my test environment, but when using the same code on DASP servers, Access Denied exceptions are thrown. After some digging, it seems that Thread.CurrentPrincipal is somehow being lost or not set (see below) and I can't figure out why. Any ideas? I am working around the problem by explicitly checking HttpContext within each method - see GetSomeData2() below, but I'd like to clean it up to work with the PrincipalPermission attribute as in GetSomeData1(). Thanks! Code: [AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)] public class WebService : IWebService { public WebService() { Thread.CurrentPrincipal = HttpContext.Current.User; } // This method throws Access Denied for user in role (uses Thread.CurrentPrincipal) [PrincipalPermission(SecurityAction.Demand, Role="clients")] public string GetSomeData1() { return "some data"; } // This method allows access for user in role (uses HttpContext.Current) public string GetSomeData2() { if (!HttpContext.Current.User.IsInRole("clients")) return null; return "some data"; } }
It seems that when principalPermissionMode="UseAspNetRoles", it works fine with http, but *not* https. See this explanation ... Basically I was hoping to use Forms authentication for Silverlight over BasicHttpBinding with an https endpoint... this does not seem to be supported by WCF, at least not without a custom service authorization policy. Bummer.
