By Ingo Rammer, Microsoft MSDN
Library.
In this article the author shows how you can
create and use a custom security token manager with the Web
Services Enhancements 2.0 for Microsoft .NET to check for X.509
certificates, map them to roles and populate context information
with custom principal and identity objects.
He shows how easy it is to use WS-Policy from
within Visual Studio .NET to add declarative checking of role
membership to your applications. The advantage of this approach
based on WS-Security when compared to classic HTTP based security
is that it doesn't rely on transport-level integrity or security
but instead works solely with the SOAP message. This provides you
with end-to-end security capabilities over multiple hops and
protocols.
http://msdn.microsoft.com/library/en-us/dnwse/html/wserolebasedsec.asp
See also WS-Security references:
http://xml.coverpages.org/ws-security.html