none
How to build a real world WebService for User/Password authentication without https RRS feed

  • Question

  • Hi,

    i think this question contains two questions. I want to develop WCF services to use in an app which should run under web (AngularJS), IOS and Windows Phone.

    Thats the idea :)

    As i started to design my app i came across the login mask already in the first step. I could send username and password in plaintext to the service and lets to something. But i think, that this is definitely not a good idea.

    Therefore i have the following questions:

    1.) How to implement a real wold authentication in wcf without the use of http and certs?

    2.) How to check authorization with each service request without the need to send again and again username and passwort to service?

    I mean this is a very basic requirement. Isnt there a good starting point? A Microsoft best practice etc.? 

    br

    Yavuz


    • Edited by BOG's Lab Sunday, August 16, 2015 2:01 PM
    Sunday, August 16, 2015 10:29 AM

Answers

All replies

  • If I were you, you might want to think about looking at WebAPI.

    https://msdn.microsoft.com/en-us/library/jj823172%28v=vs.110%29.aspx?f=255&MSPPError=-2147217396

    If you were to use a MVC Web base solution using n-tier and separation of concerns, then all you would need to do is see what device is hosting the browser and take the appropriate code path, but really there are very few paths that need to be taken based on bowser device type.  

    Everything is hosted at the Web site. 

    https://en.wikipedia.org/wiki/Separation_of_concerns

    There would be no need for you to be concerned with a user-id and password authentication on the tiers below the presentation tier or with the Web service.

    You can use  user's mail address and a psw at the presentation tier to authenticate on users logging on to the site. 

    http://weblogs.asp.net/sukumarraju/creating-n-tier-web-api-application

    You can do the same thing with WCF too by keeping everything centralized and using n-tier, because the device browsers  don't care what the underlying technology is being used at the site.

    Sunday, August 16, 2015 7:38 PM
  • Hi BOG's Lab,

    According to your description, for this  question ">> How to implement a real wold authentication

    in wcf without the use of http and certs?", in my opinion is that we can custom a encryption and

    decryption algorithm with WCF Service.

    For more information, please refer to the following articles:

    1.WCF Client Server Application with Custom Authentication, Authorization, Encryption

    2.Custom Authentication and Security for Routing Service of WCF 4.0

    For this question "How to check authorization with each service request without the need to send

    again and again username and password to service?".  I  suggest you need to enable sessions on

    your service and then your client can establish a session with the service. This can only happen

    while the same channel is used to communicate with the service.

    I hope that will be helpful  to you.

    Best Regards,

    McGrady

    Monday, August 17, 2015 8:27 AM
    Moderator