Securing Data Services

We have received a lot of questions lately about how to authenticate calls to an ADO.NET Data Service.  Mike Taulty has created a nice post outlining some of the options for authenticating calls to data services.  Check it out here:


-Mike Flasko

ADO.NET Data Services Framework, Program Manager

Comments (7)

  1. Alan M. says:

    That blog post doesn’t really answer the original question, of how to use HTTP Basic authentication, presumably to operate in a web-friendly manner regardless of the client consuming the service. It just side-steps the problem by using forms based authentication (in a hackish type way mind you), and in a .NET biased approach that wouldn’t work well with other frameworks.

    I would hope this scenario is improved with a proper ASP.NET provided Basic Auth solution and the ability to call services from a web browser without resorting to using ASP.NET AJAX auto JS generated proxies.

  2. Michael says:

    A simpler approach I use is on the SendingRequest event handler for the data service add a request header with a key. Then on the data service server for a app in the Application_BeginRequest event look for requests made to the data service url and if the request header is missing end the request.

    var db= new ModelEntities(new Uri("http://service.svc");

    entities.SendingRequest += new db_SendingRequest(object sender, SendingRequestEventArgs e);

    protected static void db_SendingRequest(object sender, SendingRequestEventArgs e)


       e.Request.Headers.Add("auth", "secretkey");


    void Application_BeginRequest(object sender, EventArgs e)


       if (Request.RawUrl.ToLower().Contains("service.svc"))


           if (Request.Headers["auth"] != "secretkey")




  3. Mahabubur Rahaman says:

    In the ASP.NET web application where i added data service as well as Entity Data model , there is no additional ascx file , so how can i put this method like  Application_BeginRequest()

    and how this can be workable in my project.

    Offcourse i add a request header with a key in my client application.

    Please help me out.


  4. Gabor Rosenberg says:

    In the Mike’s blog the example shows how to authenticate from within and how to use the AJAXscript library. But, how to authenticate from within Silverlight 2? (At the time of writing the article (27 may 2008), the SL2 wasn’t available yet. The SL 2 version of .Net 3.5 doesn’t include all the possibility that included in the full version. Thanks

  5. Zachary says:

    Thank you for the suggestion and code, Michael.  This works for me.

  6. Kent says:

    Why I get 401 error when consume DataService svc using credentials through ISA proxy but no error when directly connect to dataservice server?

  7. Charlie says:

    Dude this is silly what where you guys thinking when developing this awful platform. There is no easy way of authenticating the wcf data service and thats a major issue!!