Reputation: 11119
Looking to add basic security to a WCF service
I have a WCF 3.5 service and it runs great. It is using basicHttpBinding and IIS 7 hosted. I'd like to add some minimal security to it, maybe a username and a password. Can someone give me some really basic instructions? What do I need to add to my web.config file?
Upvotes: 1
Views: 2658
Answers (2)
Reputation: 4285
Not that there is anything wrong with the content found on codeplex, I just feel that it is too much all at once when you are just trying to get started. Personally I like it better when someone just gives me a good run through whether it is applicable to what I am trying to accomplish or not - as long as it is the basic idea that I am looking for.
That being said I feel that these articles by Peter van Ooijen do just that...
Original Article
A Simple WCF Service With Username & Password Authentication: The Things They Don't Tell You
Followup Article
A Simple WCF Service With Username & Password Authentication: The Things You Told Me
...it bypasses a lot of the heavy (unwanted) detail and gets to the meat of the WCF Security Idea since it is so drastically different from pre-WCF Security. I think the most difficult thing to deal with (unfortunately) is creating those security certificates. I personally never had to do that before so I found it to be a pain. Luckily here is a tool that helps with creating the cerfiticates created by PluralSight, free to use. In the article a link is provided to PluralSight's self-cert tool, the link is broken however. Here is their current link:
Self-Cert by PluralSight
Hope this helps anyone struggling with this like I did.
Upvotes: 2
Reputation: 755207
The WCF Security Guidance is a really good place to start - with lots of scenarios, samples, explanations and more.
For basic username/password authentication over basicHttpBinding, you need to have several pieces in place:
- enable the username/password on the client (config or code)
actually set the username/password on the client before each call (only in code)
define how to validate the username/password coming in on the server side - your options are validating against Active Directory (e.g. all your callers need to have an AD account with you in your domain), validate against the ASP.NET membership database, or roll your own
- install a certificate for the service on the server side, so that your messages can be protected (encrypted and signed)
This how-to "How To – Use Username Authentication with the SQL Server Membership Provider and Message Security in WCF from Windows Forms" basically does what you're looking for - the concrete example is for wsHttp, but it should work for basicHttpBinding as well
Upvotes: 1
Related Questions
- Securing WCF Services
- Securing WCF Service
- Secure WCF service and Methods
- What's the simplest security method of a WCF service
- How to implement simple WCF security
- Need help in protecting WCF service
- WCF Security options for my scenario
- Patterns and good practices on securing wcf service
- Secure WCF service
- WCF Service Security for Authentication and Authorization