RESTful .NET by Jon Flanders

Security is always an important consideration when you’re building any kind of system. This is certainly true when you’re building services, perhaps more so because of the nature of exposing endpoints that could be called using a variety of toolkits and protocols. Those who favor SOAP services (specifically the WS-* set of specifications) tend to look down upon the security of RESTful services. In truth, though, enterprises have much more experience managing security for web applications than they do for SOAP service endpoints. Because RESTful services are just HTTP endpoints, all of the security techniques (HTTPS, certificates, etc.) that have been used for years with web applications are the same techniques we use for REST. Although it is certainly true that REST services don’t support end-to-end security over multiple protocols (as the suite of WS-Security-related protocols allows), in the end are you really going to need that?

In this chapter, we’ll look at the out-of-the-box capabilities that WCF 3.5 provides for building secure services with REST. First, we’ll discuss how to authenticate users of your WCF web endpoints, and then I’ll delve into the several ways available to authorize users once they’ve been authenticated.