none
confused how to add NTLM authentication to a webservice

    Вопрос

  • hello,

    i am a bit confused how to add NTLM authentication to a webservice.

    this is what i've done so far:

    created a wcf project in vs 2010 and after renaming the default classes to NTLMService and INTLMService, edited the webconfig file this way

    <?xml version="1.0"?>
    <configuration>
    
      <system.web>
        <compilation debug="true" targetFramework="4.0" />
      </system.web>
      <system.serviceModel>
        <bindings>
          <basicHttpBinding>
            <binding name="NewBehavior">
              <security mode="TransportCredentialOnly" >
                <transport clientCredentialType="Ntlm" proxyCredentialType="Ntlm" />
              </security>
            </binding>
          </basicHttpBinding>
        </bindings>
        <services>
          <service name="NTLMService.NTLMService" behaviorConfiguration="NewBehavior">
            <endpoint address="http://localhost:19861/NTLMService.svc" binding="basicHttpBinding"
              bindingConfiguration="NewBehavior" name="Basic" contract="NTLMService.INTLMService" />
    
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
    
          </service>
        </services>
        <behaviors>
          <serviceBehaviors>
            <behavior name="NewBehavior">
              <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
              <serviceMetadata httpGetEnabled="true"/>
              <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
              <serviceDebug includeExceptionDetailInFaults="false"/>
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <serviceHostingEnvironment multipleSiteBindingsEnabled="false" />
      </system.serviceModel>
     <system.webServer>
        <modules runAllManagedModulesForAllRequests="true"/>
      </system.webServer>
      
    </configuration>

    now, if i call http://localhost:19861/NTLMService.svc?wsdl from the browser,

    i can see the wsdl without providing any kind of authentication, is this normal ?

    also, after creating the client and adding the webservice reference,

    i can call the GetData method without sending any security tokens.

    the question is, is the webservice secured this way ? what i am missing here ?

    thank you in advance.

    12 марта 2012 г. 10:39

Все ответы