I would like to implement Custom Authentication about servicestack HOT 6 OPEN

I'll have to see if I can get a copy of VS.NET 2010 somewhere to see what the 
new WCF REST mechanism is like to see if it isn't too ugly and supportable for 
implementations outside of WCF.

I normally roll my own authentication/session scheme as it lets me have greater 
control over the user's auth/session and lets me store it in any ICacheClient 
of my choosing. I have an example of the approach I normally take in these 
classes: http://bit.ly/bolwP2

In order to handle each request generically, I have an IService base class and 
mark each RequestDTO I want to authenticate with a IRequiresUserSession which 
is just an interface with a UserId/SessionId pair. The base class simply 
detects if the Request DTO is an 'IRequiresUserSession' and if so validates 
that it is a valid session. If it is, calls the sub classes IService 
implementation otherwise throws an Auth Error.

I'll try to put an example of this in ServiceStack's Example project when I get 
time this weekend to show you what I mean. Normally Auth is handled with 
cookies but I always like to be explicit in my web services definition and have 
always needed the UserId for all my authenticated requests. Also it's more 
testable if the UserId/SessionId pair is decoupled from the Server's HTTP 
Request and explicitly set on the DTO's.

[deleted comment]

I have resolved this issue by creating

public abstract class MyServiceBase<TRequest> : ServiceBase<TRequest>, 
IRequiresRequestContext 

and creating

protected override object Run(TRequest request)
        {
            if (Authorise())
                return RunService(request);
            else {}
                 }

and my bool Authorise does my required validation. I wondered if it might be 
helpful to others if this was baked into the framework. The base implementation 
could contain an overridable Authorise method that just returns true in the 
base?

Yeah, that looks like it will work, the base-class is in-line with the approach 
to what I would do. I don't really like 'baking in' auth/session into the 
framework since it proposes the use of a single implementation and IMHO 
complicates it for everybody who wants to use an alternate scheme. 

I much prefer to have 'extensions' project on the side like I'm doing with 
ServiceStack.ServiceInterface so users can opt-in the extra functionality if it 
suits them. I will look to provide a better auth/session story in there at some 
stage.

Hi LeparkUK,

Do you have a more complete example on how this worked for you?

Rui

Sorry. Do to issues with service stack at the time (now resolved) I was unable 
to progress any further with the framework at that time and due to time 
constraints I had to continue without, so I no longer have my code.