WCF web service custom authorization

Question

I have WCF webservice using windows authentication and custom ServiceAuthorizationManager. Everything works fine, but if overridden CheckAccessCore returns false, I get error 500, instead of 401 as I expected. Service does not implement any service level error handling. How can I send 401 instead of 500 header?

Service config:

    <!-- App configuration-->
    <system.web>
        <compilation debug="true" targetFramework="4.0" />
        <customErrors mode="Off" />
    </system.web>

    <appSettings>
        <!-- Allowed users divided by comma -->
        <add key="allowedUsers" value="DOMAIN\User1, DOMAIN\User2" />
    </appSettings>

    <!--Webservice-->
    <system.serviceModel>
        <services>
            <service name="WebService.ApiService">
                <endpoint binding="basicHttpBinding" bindingConfiguration="AuthenticatedBinding" bindingNamespace="http://namespace.com/customapi" contract="WebService.IApiService" />
            </service>
        </services>
        <behaviors>
            <serviceBehaviors>
                <behavior>
                    <serviceMetadata httpGetEnabled="true"/>
                    <serviceDebug includeExceptionDetailInFaults="true"/>
                    <serviceAuthorization serviceAuthorizationManagerType="WebService.Model.Services.AuthorizationService, WebService" />
                </behavior>
            </serviceBehaviors>
        </behaviors>
        <bindings>
            <basicHttpBinding>
                <binding name="AuthenticatedBinding">
                    <security mode="TransportCredentialOnly">
                        <transport clientCredentialType="Windows" />
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
        <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    </system.serviceModel>

</configuration>

Custom authorization manager:

class AuthorizationService : ServiceAuthorizationManager
{
    private List<string> allowedUsers = new List<string>();

    public AuthorizationService() : base()
    {
        Configure();
    }

    protected override bool CheckAccessCore(OperationContext operationContext)
    {
        base.CheckAccessCore(operationContext);

        return allowedUsers.Contains(operationContext.ServiceSecurityContext.WindowsIdentity.Name);
    }

    private void Configure()
    {
        var configRow = ConfigurationManager.AppSettings["allowedUsers"];
        var parts = configRow.Split(',');

        if (parts.Length > 0)
        {
            foreach (var part in parts)
                allowedUsers.Add(part.Trim());
        }
    }
}

Result image:

Answer 1

I found on the web that error code 500 is the proper way how to send SOAP fault response. So everything is fine with my webservice (I am getting 'Access denied' fault with error code 500).

• SOAP specification about it
• Summary on Martin Karpiseks blog