Precious Roy
Precious Roy

Reputation: 1086

wcf authentication and encryption

I created a wcf service that serves up an image as a byte[]. I have it functioning fine, but I’m not that experienced with authentication and encryption in services. The client is going to be displaying the image in their site. They requested username and password authentication and some form of encryption, but they seem flexible if there is an easier option that works good. They will only be sending a few parameters in the call,

I’ve been modeling my attempt after this, but from what I’m seeing in wcf, it has to be over an SSL layer if you do it this way because there is no encryption for the plain text soap headers containing the username and pass. I would prefer not to go the SSL route unless it's necessary.

I read that I could use negotiateServiceCredential="false" for a one-way communication, but I'm not sure a one-shot security mode is what I'm looking for. I can't seem to find a tutorial or scenario example similar enough.

Upvotes: 2

Views: 699

Answers (1)

Precious Roy
Precious Roy

Reputation: 1086

if anyone might be interested... I'm using this guy's solution to model off of link, and it seems to be working good.

Basically, after reading some other posts on here, I got turned on to this book. Where I learned some more about how these services are generally setup. I decided on going with username & password authentication by creating my own validator class for the message security. This tag was a little tricky for me to figure out (in the web.config) but there is a lot out there to learn more about it:

<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="YourService.MyValidator, YourService" />

If you use username for message security WCF requires you to secure the transport with a certificate, in this case an SSL. This is because the credentials are passed in plain text. The plus is that SSL hardware accelerators allow for fast message transmission, and I'm attempting to transport large files to the client.

The solution I linked to is a good walkthrough for any newbs like myself. A really helpful part was learning how to make temporary certificates to use for testing purposes using MakeCert. Just run this in a cmd:

makecert -r -pe -n "CN= compaq-jzp37md0 " -b 01/01/2000 
-e 01/01/2050 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr 
localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

Where “compaq-jzp37md0” is the server name so you need to replace with your PC name

Upvotes: 1

Related Questions