Can a custom UserNamePasswordValidator add things to the WCF session?

Question

Related to this question, I'm instantiating a connection to our internal API inside my custom UserNamePasswordValidator. Can I stash this somewhere so that I can use it in future calls in that user's session?

This is similar to this question, but I'm not using IIS, so I can't use HttpContext.Current (or can I?).

Update: Some context: our internal API is exposed via a COM object, which exposes a Login method. Rather than have a Login method in my service interface, I've got a custom UserNamePasswordValidator, which calls the Login method on the COM object.

Because instantiating the COM object and logging in is expensive, I'd like to re-use the now-logged-in COM object in my service methods.

Roger Lipscombe · Accepted Answer

Yes, it can. You'll need:

a custom ServiceCredentials implementation that returns a custom SecurityTokenManager.
a custom SecurityTokenManager implementation that returns a custom CustomUserNameSecurityTokenAuthenticator.
your custom CustomUserNameSecurityTokenAuthenticator needs to override ValidateUserNamePasswordCore, and should add a custom implementation of IAuthorizationPolicy.
your implementation of IAuthorizationPolicy should implement Evaluate, at which point it can start putting things in the WCF context.
replace the evaluationContext["PrimaryIdentity"] value with a PasswordIdentity or a custom IIdentity.
replace the evaluationContext["Principal"] value with a PasswordPrincipal or a custom IPrincipal.
update the evaluationContext["Identities"] collection to replace the GenericIdentity instance with your custom instance.

By doing this, you can have a custom IPrincipal implementation with some extra information in it.

For more details, see this.

Can a custom UserNamePasswordValidator add things to the WCF session?

Answers (2)

Related Questions