locked
BasicHTTPBinding + Custom UserName Authentication + No SSL RRS feed

  • Question

  • Hey guys,
    I am new to the WCF world so please bear with me. Basically, what I am trying to do is I am trying to re-write my webservice (.asmx) written in .Net 1.1 to a WCF service. The current webservice uses a custom UserName/Password authentication to authenticate the client. We had only one client so far and the client was in Java. We did not use SSL certificate in the current webservice scenario.

    The new requirement is to have exactly the same authentication i.e. custom UserName/Password validation, NO SSL and there will be muliple clients, one in Java and another in .Net 3.0.

    Hence, I wanted to convert the program to WCF with BasicHTTPBinding (for Java client) but I dont have SSL certificate installed and I dont want to.

    Is it possible to use custom authentication to call a WCF service using BasicHTTPBinding w/o using SSL?

    Your help is highly appreciated!!!

    Thanks,
    Naeem
    Wednesday, September 16, 2009 9:14 PM

Answers

All replies

  • Hey guys,
    I am new to the WCF world so please bear with me. Basically, what I am trying to do is I am trying to re-write my webservice (.asmx) written in .Net 1.1 to a WCF service. The current webservice uses a custom UserName/Password authentication to authenticate the client. We had only one client so far and the client was in Java. We did not use SSL certificate in the current webservice scenario.

    The new requirement is to have exactly the same authentication i.e. custom UserName/Password validation, NO SSL and there will be muliple clients, one in Java and another in .Net 3.0.

    Hence, I wanted to convert the program to WCF with BasicHTTPBinding (for Java client) but I dont have SSL certificate installed and I dont want to.

    Is it possible to use custom authentication to call a WCF service using BasicHTTPBinding w/o using SSL?

    Your help is highly appreciated!!!

    Thanks,
    Naeem
    Wednesday, September 16, 2009 9:08 PM
  • You need to use clearUsernameBinding:


    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    • Marked as answer by Bin-ze Zhao Tuesday, September 22, 2009 7:27 AM
    Wednesday, September 16, 2009 10:07 PM
  • Hi Naeem,
       if you want to use custom authentication to call a WCF service using BasicHTTPBinding without using SSL,
      you can Use WCF message security mode with BasicHTTPBinding  to Custom usernamePassword validator.
      
      for Message security mode , you need not to use https for SSL.
      you can just  use http directly.
      Transport  security mode ,you need use SSL except NetTcpBinding.
      I have made a sample codes for this case with WSHttpBinding  :
    /Files/frank_xl/6.4.WCFServiceSecurityDemoFrankXuLei_Message_UserNamePassword_WSHttpBinding.rar

      but you need to change the WSHttpBinding to BasicHTTPBinding .

      http://www.cnblogs.com/frank_xl/archive/2009/08/12/1543867.html

     Hope it can help you .


    Regards

    Frank Xu Lei--谦卑若愚,好学若饥
    专注于.NET平台下分布式应用系统开发和企业应用系统集成
    Focus on Distributed Applications Development and EAI based on .NET
    欢迎访问老徐的中文技术博客:Welcome to My Chinese Technical Blog
    欢迎访问微软WCF中文技术论坛:Welcome to Microsoft Chinese WCF Forum
    欢迎访问微软WCF英文技术论坛:Welcome to Microsoft English WCF Forum
    Thursday, September 17, 2009 4:49 AM
  • Hi,

    If you want to use custom user name authentication over basichttpbinding without an https: or certificates,well,its not possible to send username and password in a clear text format over soap. And if your requirement is just to send the credentials over soap with any SSL etc you cannot use basichttpbinding and have to go for clearUsernameBinding as suggested by Yaron.
    • Marked as answer by Bin-ze Zhao Tuesday, September 22, 2009 7:27 AM
    Thursday, September 17, 2009 7:45 AM
  • Hey guys,
    Thank you all for your response. It was really helpful. So after a long research and consideration and after seeing your response, I am thinking of going with a SSL certificate and using TransportWithMessageCredentials since that best suites my scenario. I am also gonna use Membership Provider to store my user credentials and authenticate them at runtime. Please let me know if you'll see any issue with this...


    Thanks a ton!!!

    Naeem
    Thursday, September 17, 2009 9:35 PM