 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / December 2007WCF Security - UserName
Hi, I have a WCF service which I would like to secure using a username/password kombination. I have added the following code in the config file on the host: <basicHttpBinding> <binding name="Binding1"> <security mode="TransportWithMessageCredential"> <message clientCredentialType ="UserName" /> </security> </binding> </basicHttpBinding> ... <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="My.Host.MyUserNameValidator, My.Host" /> </serviceCredentials> ... I have added this code in the config file on the client: <basicHttpBinding> <binding name="NewBinding"> <!--<security mode="TransportCredentialOnly">--> <security mode="TransportWithMessageCredential"> <transport clientCredentialType="Basic" /> </security> </binding> </basicHttpBinding> Before I create my proxy I am setting a username and a password on the ChannelFactory ChannelFactory<IMyService> fact = new ChannelFactory<IMyService>("main"); fact.Credentials.UserName.UserName = "Henrik"; fact.Credentials.UserName.Password = "MyPass"; proxy = fact.CreateChannel(); I now get the following error: The provided URI scheme 'http' is invalid; expected 'https'. I can understand why I get it, because I am not passing a https url, but both the service and the application is running inside the firewall, so I would like to use normal http or mayby binary. I have tried to use TransportCredentialOnly instead of TransportWithMessageCredential. Then I get no error, but the code in my server side UserNameValidator is never run, which means nothing is being validated. So I am kind of stuck in between. Any ideas? Best regards Henrik Skak Pedersen Hi Henrik, TransportWithMessageCredential required transport security (aka HTTPS). It is also not compatible with TransportCredentialOnly. The former uses a SOAP header, the latter an HTTP header. It is not trivial to get this scenario to work with .NET 3.0. In 3.5 you can use Transport security with custom usernames. See: http://www.leastprivilege.com/FinallyUsernamesOverTransportAuthenticationInWCF.aspx http://www.leastprivilege.com/WCFUsernamesOverTransportAndIISHosting.aspx Regardless I wouldn't advise sending credentials in clear text over the wire. Intranet or not. ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > Hi, > [quoted text clipped - 52 lines] > Best regards > Henrik Skak Pedersen Hi Dominick, Again, thank you very much for your help :-) The service will run in 3.5, so it is no problem at all. Cheers Henrik > Hi Henrik, > TransportWithMessageCredential required transport security (aka HTTPS). It [quoted text clipped - 73 lines] >> Best regards >> Henrik Skak Pedersen Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.