How to only allow access from WCF Data Service ServiceOperation

Question

I use WCF with my ASP.NET MVC app, my data service get data from my (EF 4.1) .mdf file. But there is some feild that I want to show with authentication, for example:

public static void InitializeService(DataServiceConfiguration config)
{
    config.SetEntitySetAccessRule("Exercies", EntitySetRights.All);
    config.SetServiceOperationAccessRule("GetAllExercies", ServiceOperationRights.All);
    config.DataServiceBehavior.MaxProtocolVersion = DataServiceProtocolVersion.V3;
}
[WebGet]
public IQueryable<Exercise> GetAllExercies(string name, string pass)
{
    if (Membership.ValidateUser(name, pass))
        return CurrentDataSource.Exercies;
    else
        return CurrentDataSource.Exercies.Where(e => e.Public == true);
}

Now when user access httx://localhost/MyService.svc/Exercies, they can get everything although they are not given the username and pass.
My temporary solution is re name GetAllExercies to just Exercies but I not sure is there any better way...

Answer 1

Yes, there is a better solution: query interceptors. In fact using the same name for entity set and service operation tends to lead to problems in certain scenarios (the $metadata is "confusing" for the clients). It's also not 100% secure (doesn't prevent accessing the entity through some navigation property if you have that).

See this http://msdn.microsoft.com/en-us/library/dd744842.aspx. The idea is that you make the auth filter part of the entity set query, and WCF DS Service makes sure that it will be used everywhere that entity set is accessed.