Setting up web services with x509 and multiple clients and how to distinguish clients?

Question

Following these two links, I was able to implement a simple web service with x509 certification, and an authenticated test client to consume the service.

Right now, it looks something like this:

 --------------
| ServiceA.svc | ------------> Test Client 1
|  -GetData()  |
 --------------

How can I extend what I have to accomplish something like this:

 --------------
| ServiceA.svc | ------------> Test Client 1
|  -GetData()  | ------------> Test Client 2
|  -SaveData() |
 --------------
| ServiceB.svc |-------------> Test Client 1
|  -GetData()  |
 --------------
| ServiceC.svc |-------------> Test Client 2
|  -SaveData() |
 --------------

I already have services set up, and Test Client 2 ready to go.

So here are some of my questions:

• Do I need to create a separate certificate for Test Client 2?
• How will the config files/end points/behaviors look like? I think Service B and C would be easy to setup as it is basically the same as what I have right now, but now that ServiceA will be consumed by both clients, I am a bit lost.
• If ServiceA is called how do I know which client is calling it? I potentially want to limit the methods they can call (ie. TC1 can only use GetData(), TC2 can only use SaveData()), and be able to log who is accessing the methods.

I can post what I have on the config files if needed, but it looks basically what the two aforementioned links have.

Answer 1

yes, each client needs a separate certificate. Then from within the operation you can get its distinguished identity:

ServiceSecurityContext.Current.PrimaryIdentity.Name

The best practice is to separate the authorization process like described here: http://msdn.microsoft.com/en-us/magazine/cc948343.aspx