HighTechTalks DotNet Forums  

WCF Security - UserName

Go Back HighTechTalks DotNet Forums Dotnet Dotnet Security WCF Security - UserName

Dotnet Security microsoft.public.dotnet.security


Discuss WCF Security - UserName in the Dotnet Security forum.



Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old   
Henrik Skak Pedersen
 
Posts: n/a

Default WCF Security - UserName - 12-05-2007 , 03:28 PM





Hi,

I have a WCF service which I would like to secure using a username/password
kombination. I have added the following code in the config file on the host:

<basicHttpBinding>
<binding name="Binding1">
<security mode="TransportWithMessageCredential">
<message clientCredentialType ="UserName" />
</security>
</binding>
</basicHttpBinding>
....
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="My.Host.MyUse rNameValidator, My.Host"
/>
</serviceCredentials>
....

I have added this code in the config file on the client:

<basicHttpBinding>
<binding name="NewBinding">
<!--<security mode="TransportCredentialOnly">-->
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Basic" />
</security>
</binding>
</basicHttpBinding>


Before I create my proxy I am setting a username and a password on the
ChannelFactory

ChannelFactory<IMyService> fact =
new ChannelFactory<IMyService>("main");
fact.Credentials.UserName.UserName = "Henrik";
fact.Credentials.UserName.Password = "MyPass";

proxy = fact.CreateChannel();

I now get the following error:
The provided URI scheme 'http' is invalid; expected 'https'.

I can understand why I get it, because I am not passing a https url, but
both the service and the application is running inside the firewall, so I
would like to use normal http or mayby binary.

I have tried to use TransportCredentialOnly instead of
TransportWithMessageCredential. Then I get no error, but the code in my
server side UserNameValidator is never run, which means nothing is being
validated. So I am kind of stuck in between.

Any ideas?

Best regards
Henrik Skak Pedersen


Reply With Quote
  #2  
Old   
Dominick Baier
 
Posts: n/a

Default Re: WCF Security - UserName - 12-05-2007 , 05:20 PM





Hi Henrik,

TransportWithMessageCredential required transport security (aka HTTPS). It
is also not compatible with TransportCredentialOnly. The former uses a SOAP
header, the latter an HTTP header.

It is not trivial to get this scenario to work with .NET 3.0. In 3.5 you
can use Transport security with custom usernames.

See:
http://www.leastprivilege.com/Finall...onInWCF.a spx
http://www.leastprivilege.com/WCFUse...ISHosting.aspx


Regardless I wouldn't advise sending credentials in clear text over the wire.
Intranet or not.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Quote:
Hi,

I have a WCF service which I would like to secure using a
username/password kombination. I have added the following code in the
config file on the host:

basicHttpBinding
binding name="Binding1"
security mode="TransportWithMessageCredential"
message clientCredentialType ="UserName" /
/security
/binding
/basicHttpBinding
...
serviceCredentials
userNameAuthentication
userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="My.Host.MyUse rNameValidator,
My.Host"
/
/serviceCredentials
...
I have added this code in the config file on the client:

basicHttpBinding
binding name="NewBinding"
!--<security mode="TransportCredentialOnly">--
security mode="TransportWithMessageCredential"
transport clientCredentialType="Basic" /
/security
/binding
/basicHttpBinding
Before I create my proxy I am setting a username and a password on the
ChannelFactory

ChannelFactory<IMyService> fact =
new ChannelFactory<IMyService>("main");
fact.Credentials.UserName.UserName = "Henrik";
fact.Credentials.UserName.Password = "MyPass";
proxy = fact.CreateChannel();

I now get the following error:
The provided URI scheme 'http' is invalid; expected 'https'.
I can understand why I get it, because I am not passing a https url,
but both the service and the application is running inside the
firewall, so I would like to use normal http or mayby binary.

I have tried to use TransportCredentialOnly instead of
TransportWithMessageCredential. Then I get no error, but the code in
my server side UserNameValidator is never run, which means nothing is
being validated. So I am kind of stuck in between.

Any ideas?

Best regards
Henrik Skak Pedersen



Reply With Quote
  #3  
Old   
Henrik Skak Pedersen
 
Posts: n/a

Default Re: WCF Security - UserName - 12-10-2007 , 02:41 PM


Hi Dominick,

Again, thank you very much for your help :-)

The service will run in 3.5, so it is no problem at all.

Cheers
Henrik

"Dominick Baier" <dbaier (AT) pleasepleasenospam_leastprivilege (DOT) com> wrote in
message news:8e6a913a1a78f8ca05ac8f6523e0 (AT) news (DOT) microsoft.com...
Quote:
Hi Henrik,
TransportWithMessageCredential required transport security (aka HTTPS). It
is also not compatible with TransportCredentialOnly. The former uses a
SOAP header, the latter an HTTP header.

It is not trivial to get this scenario to work with .NET 3.0. In 3.5 you
can use Transport security with custom usernames.

See:
http://www.leastprivilege.com/Finall...onInWCF.a spx
http://www.leastprivilege.com/WCFUse...ISHosting.aspx


Regardless I wouldn't advise sending credentials in clear text over the
wire. Intranet or not.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Hi,

I have a WCF service which I would like to secure using a
username/password kombination. I have added the following code in the
config file on the host:

basicHttpBinding
binding name="Binding1"
security mode="TransportWithMessageCredential"
message clientCredentialType ="UserName" /
/security
/binding
/basicHttpBinding
...
serviceCredentials
userNameAuthentication
userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="My.Host.MyUse rNameValidator,
My.Host"
/
/serviceCredentials
...
I have added this code in the config file on the client:

basicHttpBinding
binding name="NewBinding"
!--<security mode="TransportCredentialOnly">--
security mode="TransportWithMessageCredential"
transport clientCredentialType="Basic" /
/security
/binding
/basicHttpBinding
Before I create my proxy I am setting a username and a password on the
ChannelFactory

ChannelFactory<IMyService> fact =
new ChannelFactory<IMyService>("main");
fact.Credentials.UserName.UserName = "Henrik";
fact.Credentials.UserName.Password = "MyPass";
proxy = fact.CreateChannel();

I now get the following error:
The provided URI scheme 'http' is invalid; expected 'https'.
I can understand why I get it, because I am not passing a https url,
but both the service and the application is running inside the
firewall, so I would like to use normal http or mayby binary.

I have tried to use TransportCredentialOnly instead of
TransportWithMessageCredential. Then I get no error, but the code in
my server side UserNameValidator is never run, which means nothing is
being validated. So I am kind of stuck in between.

Any ideas?

Best regards
Henrik Skak Pedersen


Reply With Quote
Reply

« Previous Thread | Next Thread »



Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.


Contact Us - HighTechTalks DotNet Forums - Archive - Top