You can user either a UserNamePasswordValidator or an ASP.NET Membership provider to validate username/password credentials. You configure the password validation in the serviceCredentials/UserNameAuthentication behavior.
Dominick Baier, thinktecture - http://www.leastprivilege.com
Either use transport security with Basic credentials, or UserName credentials with message security. The transport case only works outside of IIS.
In addition you can enable an ASP.NET role provider to fetch roles for the user. This is done in the serviceAuthorization behavior.
Dominick Baier, thinktecture - http://www.leastprivilege.com