How To: Allow Metadata Requests While Authorizing
During custom authorization, it may be necessary to allow a request for metadata to be processed. The following topic walks through the steps to validate such a request.
For more information about Windows Communication Foundation (WCF) authorization, see Authorization.
To allow metadata requests during authorization
Create an extension of the ServiceAuthorizationManager class.
Override the CheckAccessCore method. The method returns
true
orfalse
depending on whether authorization is allowed. Information about the current procedure is found in the OperationContext passed as a parameter to the method.In the override, check the contract name, namespace, and the action as shown in the following example. If the conditions are valid, then return
true.
Use the extensibility point to employ the class. For more information, see How to: Create a Custom Authorization Manager for a Service.
Example
The following example shows an override of the CheckAccessCore method.
class MyAuthorizationManager : ServiceAuthorizationManager
{
protected override bool CheckAccessCore(OperationContext operationContext)
{
// Allow MEX requests through.
if (operationContext.EndpointDispatcher.ContractName == ServiceMetadataBehavior.MexContractName &&
operationContext.EndpointDispatcher.ContractNamespace == "http://schemas.microsoft.com/2006/04/mex" &&
operationContext.IncomingMessageHeaders.Action == "http://schemas.xmlsoap.org/ws/2004/09/transfer/Get")
return true;
// Code not shown: Perform authorization checks for non-MEX requests
return false;
}
}
Class MyAuthorizationManager
Inherits ServiceAuthorizationManager
Protected Overrides Function CheckAccessCore(ByVal operationContext As OperationContext) As Boolean
' Allow MEX requests through.
With operationContext
If .EndpointDispatcher.ContractName = ServiceMetadataBehavior.MexContractName AndAlso _
.EndpointDispatcher.ContractNamespace = "http://schemas.microsoft.com/2006/04/mex" AndAlso _
.IncomingMessageHeaders.Action = "http://schemas.xmlsoap.org/ws/2004/09/transfer/Get" Then
Return True
End If
End With
' Code not shown: Perform authorization checks for non-MEX requests
Return False
End Function
End Class