WebServiceSecurity Sample: Purpose of SetupSecurityTokenHandler

Dec 2, 2011 at 1:35 PM

Hello,

In the sample web application referenced in therecent post Token based Authentication for WCF HTTP/REST Services: Authorization there are  two calls toSetupSecurityTokenHandler in the Global.asax.cs. One is in the constructor for WebTokenWebServiceHostFactory, which in turn is in the constructor for a service route. The other is in the Application_Start:

private WebSecurityTokenHandlerCollectionManager SetupSecurityTokenHandler()
        {
...
protected void Application_Start(object sender, EventArgs e)
        {
            _logger.Info("Application_Start");
            SetupSecurityTokenHandler();
            RegisterRoutes(RouteTable.Routes);
        }
private void RegisterRoutes(RouteCollection routes)
        {
            var configuration = new WebTokenWebServiceHostConfiguration
            {
                RequireSsl = true,
                EnableRequestAuthorization = false,
                AllowAnonymousAccess = true
            };
 
            routes.Add(new ServiceRoute(
                "rest",
                new WebTokenWebServiceHostFactory(SetupSecurityTokenHandler(), configuration),
                typeof(RestService)));
        }

I presume that the call in the constructor is so that specific service routes can have credential handling set independently, but I don't understand what happens with the call in Application_Start, as the return value is not used.  Could someone explain please?