WCF Routing and Message Security
One of the most important features released in WCF 4.0 is Routing.
With WCF routing you can create a simple service that will listen to all messages and forward them to the appropriate backend service according to a specified policy.
The question I want to discuss here is what happens to the security context when forwarding the message to the appropriate service.
It turns out that the WCF team did not provide a very good solution here. The only use case that supports security context forwarding is message security with Windows credentials. The reason is that Kerberos supports delegation and WCF is not responsible for the security negotiation. So It is possible to use for example wsHttpBinding with Windows credentials both at the router and at the backend service and the service will have access to the Identity object of the caller.
Other use cases such as username password , X.509 or federated credentials does not allow security context forwarding. It means that the router can be configured to enforce message security but the service must be configured to disable security and it cannot access the security context such as the user's Identity.
So what can be done?
1. Configure the router to enforce the security policy
2. If your service needs to know who is the user (after she was authenticated and authorized by the router) you have to put that information in the message itself. One way to do that is to have the client embed a custom header with that info.
3. The message will be forwarded to the service and a partial security context can be built using a custom behavior.
Hope this helps