This post may be interesting for you because you eiter
- want to control who has access to a service’s metadata
- retrieving metadata suddenly stops working when adding a ServiceAuthorizationManager to your service
Metadata retrieval requests pass just like normal requests the ServiceAuthorizationManager (if registered). Such requests will have a an action of http://schemas.xmlsoap.org/ws/2004/09/transfer/Get. You can retrieve this value from operationContext.IncomingMessageHeaders.Action.
So if you want to secure your MEX endpoint as described in this post, you can use a ServiceAuthorizationManager to distinguish between metadata requests and “normal” requests to make authorization decisions. If you don’t care about MEX security but use an authorization manager, make sure you watch out for the metadata retrieval action, otherwise your clients probably can’t update their client proxies.
UPDATE: DrNick has some more alternatives for detecting metadata requests.