none
WCF Security : Security with Custom Basic Authentification RRS feed

  • Question

  • Hi,

    I've setup security in my RESTFUL WCF services using Custom Basic Authentification (desactivating the iis Basic Authentification and not using Windows Accounts Login; my service is host by iis) using the following link.

    allen-conway-dotnet.blogspot.fr/2012/07/using-basic-authentication-in-rest.html


    I understand the consumers have to implement a client to pass credentials in the request header.

    It is 64bits based encoded and we can see credentials passing in firebug network tab while debugging (it is always the same string encoded <=> same credential .......)

    So, in addition, to enforce security I will add SSL to encrypt the url :

    https://myrestfulserviceurl/Method.

    Now the consumers ask me why we don't just put the login and password in the url request i.e

    https://myrestfulserviceurl/Method?login=XXX&password=YYY (also combined with SSL)

    Thus i will add login and password as parameters in my Operation Contract and call a method for authentification in my method "Method".

    My question is :

    What is the difference (both scenarii will use ssl) between Custom Basic Authentification (credentials in request header) & simply passing credentials in url in param ?

    I mean : I'm just asking myself why I do bother to implement Basic Authentification as, in both scenarii,passing credentials in url or in header look similar in passing stuff in the request.

    Basic Authentification looks not more secure excepted the 64bits based encoding.

    Correct me if i'm wrong.

    I am just looking a reason why implementing Custom Basic Authentification.

    Thanks,

    Daniel



    • Edited by Daniel NGN Wednesday, December 4, 2013 11:37 AM change formulation.
    Wednesday, December 4, 2013 8:25 AM

Answers

  • Hi,

    The difference is that basic authentication is a well specified challenge/response scheme that all browsers understand and it is the server that starts it by telling a client that it requires (basic) authentication for a realm. This triggers the browser to show a popup to the user to enter a name/password which it then passes in the headers as you described.

    If you deduct this process to the single step of passing the username/password from the client to the server I have to agree that there isn't that much difference but basic authentication implies a bit more than just that.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, December 6, 2013 6:43 AM
    Moderator