Reputation: 1065
WCF authentication without certificate
I'm setting up a WCF service. The service has to use transport security over https and I need to use some kind of authentication to prevent unwanted usage.
Digging in to WCF theory has disapointed me so far.
What I have found out so far is that I can use UserName authentication with transport security. But then I will need a certificate to secure the message.
And this makes it difficult to consume with most .NET languages.
I am surprised that I cannot find any good information on how to authenticate a user with wcf without message security?
What I would like is that the client passes username and password in some way to my service.
And for the record. The service will be using transport security.
To break it down:
- How can I implement authentication without limiting interoperability?
- Is WCF services so cumbersome that I either have to use a completely open service. And use IP filtering or VPN to restrict access?
UPDATE: Since I am planing to use https with a SSL sertificate, will security mode "TransportWithMessageCredential" be the solution for me?
Upvotes: 2
Views: 1606
Answers (2)
Reputation: 842
TransportWithMessageCredential (AKA mixed-mode security) is indeed what you are looking for.
Upvotes: 0
Reputation: 16992
The only way to get REAL security IS to use digital certificates.
See my own question on this topic for details.
Upvotes: 1
Related Questions
- WCF and Authentication
- WCF service certificate authentication
- WCF Authentication WITHOUT SSL
- SSL Cert for WCF auth
- Authenticate user with certificate to WCF service
- WCF security, username password without certificate
- Securing a WCF WebService without using a certificate
- WCF message / method security without a client certificate
- WCF and authentications requiring certificates?
- WCF client with ssl and username/password authentication