CODEWITHSUNDEEP
c#.netwcfwcf-bindingwcf-security
phramusca
phramusca

Reputation: 123

WCF self hosted HTTPS with custom UserNamePasswordValidator

I have a WCF service which is running fine.

I now need to add security to it and after having read a lot of posts on the internet I'm getting confused as there are many ways of doing.

I need a custom username and password validator (I will have to call another web service to know if user is authorized or not). I also need secure communication between client and server.

I am currently using basicHttpBinding. MS recommends the use of NetTcpBinding in my case (https://msdn.microsoft.com/en-us/library/ff648863.aspx#TransportSecurityWCF), but I am not sure if this is or can be secured ?

I think I better use WsHttpBinding to have SSL: do you think that this link provides proper solution to my case ? https://msdn.microsoft.com/en-us/library/ms733775.aspx ?

Thanks for your advices

Upvotes: 1

Views: 532

Answers (1)

Brian
Brian

Reputation: 3713

You can do SSL/Transport encryption with BasicHTTPBinding. That doesn't need to change; you just need to set up the host side with "Transport" security, add some code and a certificate, and you should be able to proceed without changing too much code. I can include a small code sample below, since I did the same thing you're trying to do via a self-hosted service.

BasicHttpBinding b = default(BasicHttpBinding);
if (bUseSSL) {
  //check for ssl msg credential bypass
    if (bSSLMsgCredentialBypass) {
      b = new   BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
    } else {
      b = new BasicHttpBinding(BasicHttpSecurityMode.Transport);
    }

    b.TransferMode = TransferMode.Buffered;
    b.MaxReceivedMessageSize = int.MaxValue;
    b.MessageEncoding = WSMessageEncoding.Text;
    b.TextEncoding = System.Text.Encoding.UTF8;
    b.BypassProxyOnLocal = false;
    //b.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
}

The authentication/authorization can be done, too, without changing what you currently have. You really have two choices:

One is that you create a Login function that get's called when the client first visits the host. You then send some token value back to the client for all subsequent communications.

The other way involves creating that custom authentication check, using the message inspector functionality found in Dispatcher.IDispatchMessageInspector and a public function called AfterReceiveRequest. Within that function, you can examine the UserID and Pwd (from within the HTTP header data) sent from the clients- but you need to implement this on both the client and host sides, otherwise it doesn't work.

Upvotes: 1

Related Questions