Re: WCF Security - UserName



Hi Henrik,

TransportWithMessageCredential required transport security (aka HTTPS). It is also not compatible with TransportCredentialOnly. The former uses a SOAP header, the latter an HTTP header.

It is not trivial to get this scenario to work with .NET 3.0. In 3.5 you can use Transport security with custom usernames.

See: http://www.leastprivilege.com/FinallyUsernamesOverTransportAuthenticationInWCF.aspx
http://www.leastprivilege.com/WCFUsernamesOverTransportAndIISHosting.aspx


Regardless I wouldn't advise sending credentials in clear text over the wire. Intranet or not.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hi,

I have a WCF service which I would like to secure using a
username/password kombination. I have added the following code in the
config file on the host:

<basicHttpBinding>
<binding name="Binding1">
<security mode="TransportWithMessageCredential">
<message clientCredentialType ="UserName" />
</security>
</binding>
</basicHttpBinding>
...
<serviceCredentials>
<userNameAuthentication
userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="My.Host.MyUserNameValidator,
My.Host"
/>
</serviceCredentials>
...
I have added this code in the config file on the client:

<basicHttpBinding>
<binding name="NewBinding">
<!--<security mode="TransportCredentialOnly">-->
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Basic" />
</security>
</binding>
</basicHttpBinding>
Before I create my proxy I am setting a username and a password on the
ChannelFactory

ChannelFactory<IMyService> fact =
new ChannelFactory<IMyService>("main");
fact.Credentials.UserName.UserName = "Henrik";
fact.Credentials.UserName.Password = "MyPass";
proxy = fact.CreateChannel();

I now get the following error:
The provided URI scheme 'http' is invalid; expected 'https'.
I can understand why I get it, because I am not passing a https url,
but both the service and the application is running inside the
firewall, so I would like to use normal http or mayby binary.

I have tried to use TransportCredentialOnly instead of
TransportWithMessageCredential. Then I get no error, but the code in
my server side UserNameValidator is never run, which means nothing is
being validated. So I am kind of stuck in between.

Any ideas?

Best regards
Henrik Skak Pedersen


.



Relevant Pages

  • Re: confusion on HTTP and SOAP
    ... Your webservice is like one person sending a letter to another person ... HTTP is the postal service that is responsible for getting your letter ... SOAP is the format of information in your letter. ... So, in a webservice, HTTP is the transport system used to move your ...
    (comp.lang.java.programmer)
  • Re: WCF Security - UserName
    ... TransportWithMessageCredential required transport security. ... In 3.5 you can use Transport security with custom usernames. ... Dominick Baier ... The provided URI scheme 'http' is invalid; ...
    (microsoft.public.dotnet.security)
  • Re: Multiple XML-RPC calls over the same connection?
    ... If I want to talk to UserLand Frontier or be a replacement server ... then I would have to do HTTP-POST support. ... HTTP is the default and most common transport. ...
    (comp.lang.python)
  • Re: Question about Delphi 8
    ... > not only on SOAP because it can't handle everything easily and there ... > are applications where HTTP is not the better transport, ...
    (borland.public.delphi.non-technical)
  • Re: OWA 2003
    ... > users can log in by entering only their usernames rather than ... Yes just set it through ESM> Protocols> HTTP. ...
    (microsoft.public.exchange.clients)