In its first incarnation, Windows Communication Foundation (WCF) did not support custom validators with transport-level HTTP security. That changed with .NET Framework 3.5. But how do you make it happen?
In a recent blog entry, Phil Henning discusses use of Custom UserNamePassword Validators in .Net Framework 3.5. He notes that the scenario is only supported under self-hosted services.
Henning describes how to create a validator, as well as how to configure a service. By configuring your service using transport security and the Basic clientCredentialType, he notes, and authentication header will be protected by SSL.