Can a custom UserNamePasswordValidator add things to the WCF session?

Question

Related to this question, I'm instantiating a connection to our internal API inside my custom UserNamePasswordValidator. Can I stash this somewhere so that I can use it in future calls in that user's session?

This is similar to this question, but I'm not using IIS, so I can't use HttpContext.Current (or can I?).

Update: Some context: our internal API is exposed via a COM object, which exposes a Login method. Rather than have a Login method in my service interface, I've got a custom UserNamePasswordValidator, which calls the Login method on the COM object.

Because instantiating the COM object and logging in is expensive, I'd like to re-use the now-logged-in COM object in my service methods.

Answer 1

Yes, it can. You'll need:

• a custom ServiceCredentials implementation that returns a custom SecurityTokenManager.
• a custom SecurityTokenManager implementation that returns a custom CustomUserNameSecurityTokenAuthenticator.
• your custom CustomUserNameSecurityTokenAuthenticator needs to override ValidateUserNamePasswordCore, and should add a custom implementation of IAuthorizationPolicy.
• your implementation of IAuthorizationPolicy should implement Evaluate, at which point it can start putting things in the WCF context.
• replace the evaluationContext["PrimaryIdentity"] value with a PasswordIdentity or a custom IIdentity.
• replace the evaluationContext["Principal"] value with a PasswordPrincipal or a custom IPrincipal.
• update the evaluationContext["Identities"] collection to replace the GenericIdentity instance with your custom instance.

By doing this, you can have a custom IPrincipal implementation with some extra information in it.

For more details, see this.

Answer 2

UserNamePasswordValidator is absolutely out of all WCF contexts. It is only used to validate user name and password. Can you futher explain your problem?

Edit: I guess COM object is instantiated for each session, isn't it? Otherwise wrapping COM into singleton should solve your problem. If you need to have per session COM object shared between validator and service instance you will need some cache or registry - something which is outside both validator and service and can be called from both of them.