WCF REST Service - 401 Unauthorized

9
votes

We're in the process of developing a WCF REST web service which just receives a bunch of arbitrary text from any anonymous user and then performs some processing on the back end.

For example, here's one method from our web service:

[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]
public class MyRESTService : IMyRESTService
{
    [WebInvoke(Method = "PUT", UriTemplate = "/MyRESTMethod?paramA={paramA}&paramB={paramB}")]
    public Stream MyRESTMethod(string paramA, string paramB, Stream rawData)
    {
        //do some stuff...
    }
}

If we just use the default IIS settings we get a (401) Unauthorized. However, after much trial and error we figured out that we could get it to work by giving WRITE access to 'Everyone' on the actual .svc file for our service.

My question is: why in the world would IIS need to have WRITE access to an .svc file for this to work? Is there a better way or am I stuck with this hackish (and possibly insecure) workaround?

WTF Microsoft?

Possibly related:

2
wcfiisrestiis-7http-status-code-401
The access rights do not necessarily need to be granted to "Everyone". Instead the authenticated user must have these rights. For anonymous access this is IUSR.chiccodoro

2 Answers

10
votes

I have also found this can be fixed by putting

<authentication mode="None" /> inside of <system.web> in your web.config

8
votes

After talking to a tech representative from M$ I was informed that this is indeed the expected behavior. The service must have write access enabled for someone to send a request to it, and when you do this it will actually set write access automatically on the .SVC file as well.