So I was talking to Shea Strickland a relatively new starter in readify who is doing some WCF work and asked about the role provider support in WCF. He pointed me to an article by Dominick Baier who mentioned that the RoleProviderPrincipal in WCF will actually cause a database call each time an IsInRole check is performed.
After some experimentation, this was confirmed by myself to be absolutely true. If a service request comes in, and during the course of that request, you make 3 IsInRole checks (perhaps at various layers of the domain model for example), then the database will get 3 requests to execute a stored proc to check the users role.
By contract, the ASP.NET RolePrincipal will get all the users roles when the first IsInRole check is performed, and then subsequent role checks will not hit the database at all, but rather check against the roles that are in memory.
I was somewhat disappointed by this as it meant that potentially, a lot of extra DB work is being performed, and not exactly what I would call best practice. Luckily, WCF is pretty easy to extend, and again, with the help of an article by Dominick Baier, I created a custom authorisation policy (implements IAuthorizationPolicy) which could be plugged into WCF, and use the standard ASP.NET RolePrincipal, thus getting the behaviour we are after.
To that end, I have created a small library with the authorisation policy code ready for you to download and use.
Simply download the library here, then make a change to your configuration file as shown below.
I would consider this a pretty common requirement if you are using the ASP.NET Role Providers in WCF, so this is why I have made this available. In addition, its a pretty small piece of code, but its still not that easy to discern via just spelunking around WCF (as Dominick already mentioned).
So hopefully this is useful for others.