Related to this question, I'm instantiating a connection to our internal API inside my custom UserNamePasswordValidator. Can I stash this somewhere so that I can use it in future calls in that user's session?
This is similar to this question, but I'm not using IIS, so I can't use HttpContext.Current (or can I?).
Update: Some context: our internal API is exposed via a COM object, which exposes a Login method. Rather than have a Login method in my service interface, I've got a custom UserNamePasswordValidator, which calls the Login method on the COM object.
Because instantiating the COM object and logging in is expensive, I'd like to re-use the now-logged-in COM object in my service methods.
Yes, it can. You'll need:
ServiceCredentials implementation that returns a custom SecurityTokenManager.SecurityTokenManager implementation that returns a custom CustomUserNameSecurityTokenAuthenticator.CustomUserNameSecurityTokenAuthenticator needs to override ValidateUserNamePasswordCore, and should add a custom implementation of IAuthorizationPolicy.IAuthorizationPolicy should implement Evaluate, at which point it can start putting things in the WCF context.evaluationContext["PrimaryIdentity"] value with a PasswordIdentity or a custom IIdentity.evaluationContext["Principal"] value with a PasswordPrincipal or a custom IPrincipal.evaluationContext["Identities"] collection to replace the GenericIdentity instance with your custom instance.By doing this, you can have a custom IPrincipal implementation with some extra information in it.
For more details, see this.