Here's a link to my previous related question.
--------------
| ServiceA.svc | ------------> Test Client 1
| -GetData() | ------------> Test Client 2
| -SaveData() |
--------------
So far, so good.
By checking ServiceSecurityContext.Current.PrimaryIdentity.Name in my GetData() and SaveData() methods, I am able to distinguish and allow/deny clients.
While this does the job, I think it would be more efficient if the method isn't called at all and have the client checking outside of the method.
Any suggestions on the most efficient way to do this?
I was thinking something akin to 'Hey! This GetData() method is only for Client 1. You're Client 2! Why are you trying to access this?! Get out!!!'
The way you are doing it now is correct.
If you move then checking of which services a user can call to the client, you leave the services open to attack from a client that is not built by you.
If you grouped methods with the same access restrictions into their own services, you could set the access at the service level using wcf configuration.