Using custom security in WCF
http://groups.google.co.uk/group/microsoft.public.windows.developer.winfx.indigo/browse_thread/thread/5b4d8a5790e76feb/4040905d321cce17
Here are some things to get you started on creating your own custom WCF security model:
You are going to need to create your own Identity and Principal objects to
handle the data you want within context. Inheriting from
System.Security.Principal.IIdentity and System.Security.Principal.IPrincipal
is a good idea.
Also, to validate usernames and passwords you'll need to create your own
custom username and password validator by inheriting from
System.IdentityModel.Selectors.UserNamePasswordValidator.
Then, you'll need to create your own AuthorizationManagers and
AuthorizationPolicies by
inheriting from System.ServiceModel.ServiceAuthorizationManager and then
overriding the CheckAccessCore(OperationContext operationContext) method to
perform additional checks for your model.
Also, you'll need to create your own AuthorizationPolicy by inheriting from
System.IdentityModel.Policy.IAuthorizationPolicy. Within this interface
you'll have to evaluate the caller's context and give out the appropriate
permissions.
When all of that is done, you'll need to modify your service configuration
to use these custom assemblies in the following configuration tags:
<behavior name="MembershipServiceBehaviors">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="MYCUSTOMVALIDATORTYPE",
CuraScript.MembershipServices.Validators" cacheLogonTokens="true" />
<windowsAuthentication allowAnonymousLogons="false" />
</serviceCredentials>
<serviceAuthorization impersonateCallerForAllOperations="false"
principalPermissionMode="Custom"
serviceAuthorizationManagerType="MYCUSTOMAUTHORIZATIONMANAGER,
MYCUSTOMAUTHORIZATIONMANAGERASSEMBLY">
<authorizationPolicies>
<add policyType="MYCUSTOMAUTHORIZATIONPOLICY,
MYCUSTOMAUTHORIZATIONPOLICYASSEMBLY, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=null" />
</authorizationPolicies>
</serviceAuthorization>
</behavior>
</serviceBehaviors>