locked
Simple authentication with WCF? RRS feed

  • Question

  • Hey!

    I want to have a simple login procedure to my WCF service and have lookt at the following topics:

    Custom principals - Will use Windows roles and logins, but can be customized to add my own roles
    Custom UserNamePassword Validator - Let me send Username and password to the service, but require SSL communcation

    My demands/needs on this autehtication solution is as follows:

    1) The service and client will be located on a internal and secure network, because of this I do not want to use SSL
    2) The authentication will be made with a Username and Password that are sent from the client to the service
    3) Data have to be sent without SSL

    How do I do this?

    I have thought of the followiong solutions:

    1) Create a virtual folder(in IIS) and an endpoint that suports SSL. When the client contact the service my custom UserNamePassword validator will validate the user and create a unic string(somekind of token) that are sent back to the user over the SSL.

    The client reconnect to another endpoint(and virtual directory(IIS)) that do not use SSL and pass the unic string(token). The service knows what token the specific user should provide and can by this grant the user access to the service.

    2) Do my own user and password check manually on the service, this mean having a login och logout method on the service. This will not demand any SSL and its a far simpler solution and 1. Proberly I will be able to use Custom principals here and by this use roles?

    What way should I use? Is there any other way?
    Friday, November 2, 2007 9:46 AM

Answers

  • See this thread.  If you don't mind losing a little bit of perf it'd be simplest in your case just to do username over https.

    Friday, November 2, 2007 3:28 PM