I am invoking a WCF web service (.NET 4.0) via jQuery $.ajax() from an ASP.NET page. How can I secure the WCF service such that only authenticated ASP.NET users can invoke the service's methods? Do I need to imperatively check the forms authentication cookie manually in each service method, or is there a more declarative approach?
4
votes
1 Answers
3
votes
SOLUTION: Move the .svc files under a "Services" directory (or any directory that will hold the services to be secured) and secure that directory with its own web.config. Configure the location to deny anonymous users:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
