How To: Allow Metadata Requests While Authorizing

During custom authorization, it may be necessary to allow a request for metadata to be processed. The following topic walks through the steps to validate such a request.

For more information about Windows Communication Foundation (WCF) authorization, see Authorization.

To allow metadata requests during authorization

  1. Create an extension of the ServiceAuthorizationManager class.

  2. Override the CheckAccessCore method. The method returns true or false depending on whether authorization is allowed. Information about the current procedure is found in the OperationContext passed as a parameter to the method.

  3. In the override, check the contract name, namespace, and the action as shown in the following example. If the conditions are valid, then return true.

  4. Use the extensibility point to employ the class. For more information, see How to: Create a Custom Authorization Manager for a Service.


The following example shows an override of the CheckAccessCore method.

class MyAuthorizationManager : ServiceAuthorizationManager
    protected override bool CheckAccessCore(OperationContext operationContext)
        // Allow MEX requests through.
        if (operationContext.EndpointDispatcher.ContractName == ServiceMetadataBehavior.MexContractName &&
            operationContext.EndpointDispatcher.ContractNamespace == "" &&
            operationContext.IncomingMessageHeaders.Action == "")
            return true;
        // Code not shown: Perform authorization checks for non-MEX requests
        return false;
Class MyAuthorizationManager
    Inherits ServiceAuthorizationManager
    Protected Overrides Function CheckAccessCore(ByVal operationContext As OperationContext) As Boolean

        ' Allow MEX requests through.
        With operationContext
            If .EndpointDispatcher.ContractName = ServiceMetadataBehavior.MexContractName AndAlso _
               .EndpointDispatcher.ContractNamespace = "" AndAlso _
               .IncomingMessageHeaders.Action = "" Then
                Return True
            End If
        End With

        ' Code not shown: Perform authorization checks for non-MEX requests
        Return False

    End Function
End Class

See Also

Managing Claims and Authorization with the Identity Model