Update – I have found a way (with a little help from the community!) around the issues discussed in this post – please see this post
Logically I want to be able to use the WCF security model since it is very rich, and automatic once you've done the configuration. However - it's a nightmare - because when you expose AJAX - friendly endpoints, you're doing it with WebHttpBinding, and it's security modes are, well, frankly crap; in fact, in almost every way WebHttpBinding should be thought of as a 'special case', which goes against everything that WCF seeks to achieve.
The problem is this - if you have a custom user name and password store, then you have to use either a membership provider (therefore relying on Asp.Net authorisation, and also in my case having to implement or stub out a whole host of features that our user store doesn't itself support), or you can write an entirely custom validator.
Once that's done your options - taken as a whole - are to use user name client credentials on either the transport or message security (using the 'clientCredentialType' attribute available on the <transport> and <message> security elements of a binding). You also need to wire up the custom username validator - which is done at the service behaviour level:
1: <serviceBehaviors>2: <behavior name="MyServiceBehavior">3: <serviceCredentials>4: <userNameAuthentication userNamePasswordValidationMode="Custom"5: customUserNamePasswordValidatorType="YourType, AssemblyName"/>6: </serviceCredentials>7: </behavior>8: </serviceBehaviors>
In a wsHttp environment you can do anything - so I'll leave that one out.
In a SOAP environment, too, it's fine: You'd probably use Message-based security, so that you also have a way clear to enable transport-level security as well. Not to mention being also able to lock down the transport to further credentials if need be.
When, however, you hit the WebHttpBinding you also hit a massive brick wall. You can only enable Transport security or TransportCredentialOnly security. The first is just SSL, the second is no-SSL, but also gives space for the client credentials to be sent, using one of the Http authentication mechanisms, such as Basic, Digest etc (the same ones available on the IIS security tab).
This is where it gets really amusing - custom user name/password combos with Http Transport-based security do not work when hosted in IIS - because IIS steps in and authenticates against the windows user store (AD, local machine etc) automatically. For a double-kick in the teeth, it's not supported at all when the service is not self-hosted:
I'm now having to circumvent WCF security and am rolling my own based on an IDispatchMessageInspector implementation, and custom authentication headers.
The next post will be about how Asp.Net Ajax makes it super-easy to add extra headers to requests as they go out of the WebRequestManager class.