none
Authentication of wcf service RRS feed

  • Question

  • It is "looks easy" task cant be done by myself. I have a WCF service which should be protected by username and password credential and stay in session mode.

    So, here is the part of interface with Activation function.

    <ServiceContract(SessionMode:=SessionMode.Required, ProtectionLevel:= ProtectionLevel.EncryptAndSign)>
    Public Interface ServiceS
    
      <OperationContract()>
      Function Activation(A As String) As String
    
    End Interface

    Background Class

    Public Class Service1
    Implements ServiceS
    
      Function Activation(A As String) As String Implement ServiceS.Activation
        Return "Hello, " & A & "!"
      End Function
    
    End Class

    Next is a web.config.

    <services>
      <service name="MyServiceS.Service1" behaviorConfiguration="MyBehavior">
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="MyBinding" contract="MyServiceS.ServiceS" />
      </service>
    </services>
    
    <bindings>
      <wsHttpBinding>
        <binding name="MyBinding" useDefaultWebProxy="false">
          <security mode="Message" />
        </binding>
      </wsHttpBinding>
    </bindings>
    
    <behaviors>
      <serviceBehaviors>
        <behavior name="MyBehavior">
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    
    <protocolMapping>
      <add scheme="https" binding="wsHttpBinding"/> 
      <add scheme="http" binding="wsHttpBinding"/> 
    </protocolMapping>
    
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
    
    </system.serviceModel>

    Client side code.

    Dim wcfTest As New MyService.ServiceSClient
    wcfTest.ClientCredentials.Windows.ClientCredential.UserName = "Name"
    wcfTest.ClientCredentials.Windows.ClientCredential.Password = "Password"
    Dim Reply as String = wcfTest.Activation("Alex")

    What do I expect? I need my WPF application connect to my service and pass username and password. If they are correct, user can access to Activation function, if not - session should be closed. So, I passed login and password to service but have no idea, how to check it. Should it be the part of interface or background class or else?

    I saw tons of examples in Internet but most of them about other things.
    - Recommendation of using of ASP. I don't need ASP. This service should be pure WCF.
    - Using certificate. I don't need any certificates. It's should be only username and password verification.
    - Roles. No roles needed. Only username and password verification.
    basicHttpBinding. No, only wsHttpBinding.
    - .Net 3.5 or 4.5. Many solutions addressed to .Net 3.5. I'm using 4.0 (used to use 4.5 but there new technology has been integrated and practically no complete examples).

    If you know how to keep session by checking only username and password only with wsHttpBinding only with WCF only with 4.0, please, advice. Or say, why it's impossible if it so. Thaks alot!

    • Edited by Newfriend Sunday, August 18, 2013 11:09 AM
    Saturday, August 17, 2013 7:03 PM

Answers

All replies

  • ClientCredential.UserName stuff is specific to windows authentication.

    WCF allows for custom user name and password authentication schemes, also known as Validators. To incorporate a custom user name and password validation refer: http://msdn.microsoft.com/en-us/library/aa702565.aspx


    Lingaraj Mishra

    • Marked as answer by Newfriend Tuesday, August 20, 2013 9:21 AM
    Sunday, August 18, 2013 12:12 PM
  • The sad story is certificate now needed (((

    Aleksey

    Sunday, August 18, 2013 8:35 PM
  • The sad story is certificate now needed (((

    Aleksey

    Hi,

    Please try to use the X.509 certificates.

    For more information, please try to refer to:

    #How o obtain an X.509 certificate:
    http://msdn.microsoft.com/en-us/library/aa702761.aspx .

    #How to: Make X.509 Certificates Accessible to WCF:
    http://msdn.microsoft.com/en-us/library/aa702621.aspx .

    #Nine simple steps to enable X.509 certificates on WCF:
    http://www.codeproject.com/Articles/36683/9-simple-steps-to-enable-X-509-certificates-on-WCF .

    #How to: Use Certificate Authentication and Message Security in WCF:
    http://msdn.microsoft.com/en-us/library/ff648360.aspx .

    Best Regards,
    Amy Peng


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Monday, August 19, 2013 2:27 AM
    Moderator
  • Hi Aleksey,

    As Lingaraj has suggested, you can implement customer validator for username authentication (used in WCF as message layer security authentication). Also, we can take advantage of ASP.NET membership provider as the account database for validating username credentials:

    #How to: Use the ASP.NET Membership Provider
    http://msdn.microsoft.com/en-us/library/ms731049.aspx

    And as you've found, using message layer security require that you provide service certificate so that the client and server can probaly negotiate and exchange data for initializing secure connection so as to transfer sensitive data (such as username credentials). Or we can use "TransportWithMessageCredential" securiyt mode which let the transport protocol take care of the message encryption/signing works:

    #How to: Use Transport Security and Message Credentials
    http://msdn.microsoft.com/en-us/library/ms789011.aspx

    #Chapter 7: Message and Transport Security
    http://msdn.microsoft.com/en-us/library/ff648863.aspx


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Monday, August 19, 2013 3:05 AM
    Moderator
  • The point is to make session alive as simple as possible. Creating and adding certificate is not simple. I thought, if I check and pass throw the login by username and password I can keep my session alive, without bothering client (he is even shouldn't enter this username and password, program do it by itself using automatically generated data). How to avoid such complicated things and keep session alive in simple manner?

    Aleksey

    Monday, August 19, 2013 7:38 AM
  • Please, take a look to my first message. There shouldn't be any certificates and ASP. Is anything else can be used to reach my target?

    Aleksey

    Monday, August 19, 2013 7:39 AM