WebServiceSecurity Sample: Purpose of SetupSecurityTokenHandler

Dec 2, 2011 at 1:35 PM


In the sample web application referenced in therecent post Token based Authentication for WCF HTTP/REST Services: Authorization there are  two calls toSetupSecurityTokenHandler in the Global.asax.cs. One is in the constructor for WebTokenWebServiceHostFactory, which in turn is in the constructor for a service route. The other is in the Application_Start:

private WebSecurityTokenHandlerCollectionManager SetupSecurityTokenHandler()
protected void Application_Start(object sender, EventArgs e)
private void RegisterRoutes(RouteCollection routes)
            var configuration = new WebTokenWebServiceHostConfiguration
                RequireSsl = true,
                EnableRequestAuthorization = false,
                AllowAnonymousAccess = true
            routes.Add(new ServiceRoute(
                new WebTokenWebServiceHostFactory(SetupSecurityTokenHandler(), configuration),

I presume that the call in the constructor is so that specific service routes can have credential handling set independently, but I don't understand what happens with the call in Application_Start, as the return value is not used.  Could someone explain please?