Reputation: 17784
wcf Username and password security with basichttpBinding--Message Based
I have created an interface with ServiceContract on interface and OperationContract on all its methods. I implemented this interface in a class and then in my asp.net website i added wcf service which created an svc file (because i wanted to host it in IIS with my website). Now the service is up and accessible at http://localhost:8732/webui/webservice/camservice.svc. Now i want to enable username and password authentication for this service. I suppose svc uses basicHttpBinding because i didn't have to make any configurations in my web.config to make it run. Now how can i enable username/password authentication on this service? There are lot of articles on internet but, i believe, wcf security is such a giant that i can't get a focused explanation on username/password authentication with the method i have used. I am using .net 4.0 with vs 2010
Edit: Ok, i have narrowed the problem down a little bit. I believe, message level security is what i need like
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
I could have gone for SSL but for that, i will have to go to db for each service call and authenticate the user. what i prefer is that a client with valid certificate is served by the service. I got a lot of information from this article. What it does not explain is how to setup x509 certificate on client and server and how can i control that only my clients can acquire valid certificate.
Upvotes: 2
Views: 1903
Answers (1)
Reputation: 7876
If you want to achieve username password validation without SSL you can use something called a ClearUsernameBinding that allows you to transport username/password over http.
NOTE: Do use this only when your service is behind a company firewall that gives enough security to your server that hosts your service.
In terms of using 2 way SSL you need to install the service certificate .pfx on your server which has been issued by a trusted authority or self signed certificate under Personal store folder of Local Machine account.
Then for client certificates you need to request the client to send a .cer file and install it on your servers under Trusted People store folder on the local machine account.
On the client machine you need to install the client certificate .pfx under Personal store folder of Current User.
NOTE: When using self signed certificate on your server then your client which performs a call to your webservice via code needs to have the below code which is to bypass the security exception that comes up for self signed certificates:
System.Net.ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, error) =>
{
return true;
};
Upvotes: 4
Related Questions
- WCF: Web Service Login / Authentication: HowTo?
- WCF and Authentication
- WCF Service with Username and password
- WCF Authentication
- Basic authentication and WCF
- Basic Authentication with WCF Web API Preview 6
- WCF Direct Authentication using BasicHttpBinding
- Authentication Service using WCF
- User Authorization in WCF with BasicHttpBinding with TransportWithMessageCredential
- WCF/ASP.NET Authentication