WCF authorization token with mixed clients

I am working on some WCF services for an application that are not only consumed by our web app but would also be consumable from our clients internal applications. Since we will not know what environment the clients internal apps could be in we are going to go the least common denominator route.

We will have an authentication service that will return a token, and that token will be passed as the first parameter of every method call. My issue is that I would like a clean way to examine the token without having to put the call to the token checking logic as the first line of code in each service method.

I looked at implementing a parameter inspector in the BeforeCall method and that worked great in my first proof of concept, but what I don't like is having to throw an exception to let the consumer know that the token is not valid. All of my methods will return a result that has at least 2 basic properties - success and a list of error messages. I would love to just return the inavlid token information as one of the result's error messages because to me, an invalid token is not an exception, it is a validation, but I do not see a clean way to accomplish this transparently.

I almost went for the return value the the parameter inspector's AfterCall method but that allows the method to execute.

So I think that i have 2 choices - 1 - Put a token check call as the first line of each method which will populate my returning 开发者_JAVA百科result object 2 - Throw an exceptioon in the parameter inspector, which really isn't all that bad.

Has anybody found a good way to do this?

Thanks, Paul

I really think you should reconsider this approach. Every stack understands soap headers, even if the person is building XML strings themselves. Just don't do anying like message security and you should be ok as far as interop goes.

If you still want to go this route, you could probably just write a custom IParameterInspector which you can attach to the services using a behavior. Then just override the BeforeCall method and check the token there.