Examining message contents when using WCF's ServiceAuthorizationManager

Microsoft's Windows Communication Foundation (WCF) provides a hook for inserting custom authorization modules to protect your web services.  By implementing a custom ServiceAuthorizationManager as per this tutorial, you can make the decision to allow access based on whatever custom logic you may desire.

Things can get a little tricky if you want to inpsect the incoming message itself, though.  Each message can be read only once in WCF, meaning that if you consume the message during authorization the actual service itself can no longer consume it.

Luckily WCF provides a manner in which you can buffer the message, copy it, and send an unconsumed copy to the underlying service.  Here's the code I used to get this to work:

public override bool CheckAccess(OperationContext operationContext, ref Message message)
{
    MessageBuffer buffer =
        operationContext.RequestContext.RequestMessage.CreateBufferedCopy(8192);
    message = buffer.CreateMessage();
    Message internalCopy = buffer.CreateMessage();
    buffer.Close();

    //Examine 'internalCopy' during your authorization processing
    return authzResult;
}

The basic technique is outlined in these two posts on Nicholas Allen's Indigo Blog:

• Basing Authorization on the Message Body
• This message cannot support the operation because it has been copied