none
WCF - ServiceHost - WDSL - DigestAuthentication RRS feed

  • Question

  • We building a application witch can be used to communicate with a PC from a mobile device. The setup is a desktop system with the host (ServiceHost) and a client (WM/CE). Now I would like to know how to secure the application.

    I did search on the internet and found a lot of security tips, but I can`t find how to secure the WSDL page. We have build a webserivce also for the cloud applications. But the ServiceHost is used for local systems without IIS. When the user come`s on the webservice page he needs to enter a username and password. We would like to have this also for the ServiceHost.

    On the internet I found some information for the 'UserNamePasswordValidator'. This works only when I set 'SerivceMetaDataBehavior.ExternalMetdataLocation'. If I don`t set it the WSDL appears without Username/Password. When I set the option I need to enter a Username/Password and the breakpoint in 'UserNamePasswordValidator' is hit, but the page won`t appear.

    How can I solve this?

    Monday, August 19, 2013 8:15 AM

Answers

  • Hi,

    If you're using IIS host, then we can leverage IIS server's authentication layer to protect the WSDL document. For self-host in our own .NET application, I'm afraid there is no much built-in support to restrict access to the "?wsdl" page. As you've found, one method is to provide a custom WSDL page via the "externalMetadataLocation" attribute and then secure the custom WSDL page (might host it in a webserver which enable basic authentication) separately.


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Tuesday, August 20, 2013 5:35 AM
    Moderator

All replies

  • I have continued searching on the internet.

    Supported security (.NET CF): http://blogs.msdn.com/b/andrewarnottms/archive/2007/08/21/the-wcf-subset-supported-by-netcf.aspx
    Example security: http://www.codeproject.com/Tips/433463/Selfhosted-Secure-WCF-by-Id-password-custom-valida

    So the security works when I add the service reference in .NET.
    I still can access the WSDL from the http://localhost:5001/

    I still can`t protect my service because the Username/Password (TransportCredentialOnly) isn`t supported.

    Anyone a better solution?

    Monday, August 19, 2013 3:17 PM
  • Hi,

    If you're using IIS host, then we can leverage IIS server's authentication layer to protect the WSDL document. For self-host in our own .NET application, I'm afraid there is no much built-in support to restrict access to the "?wsdl" page. As you've found, one method is to provide a custom WSDL page via the "externalMetadataLocation" attribute and then secure the custom WSDL page (might host it in a webserver which enable basic authentication) separately.


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Tuesday, August 20, 2013 5:35 AM
    Moderator