Avoiding setting client credentials for every web call
I am using security now and I have to set ClientCre开发者_运维问答dentials before my web calls.
This is a repetitive thing as I have many web calls always passing the same exact thing.
What is a good pattern to avoid having to do this sort of thing?
WCF implements WS-SecureConversation. This allows client to pass credentials only once and subsequent calls are automatically using security token generated by secure conversation handshake between client and service. In WCF this is known as security context or security session and it is normally turned on by default in wsHttpBinding
. When using security context you must follow basic rules:
- Your service becames instanced per session so it is long living service instance and you must handle all disadvantages and problems related to session expiration etc.
- Security session is created between single client proxy instance and service instance so it works only if you are using the same proxy. If you create new proxy you must send credentials again to initiate secure conversation.
- First call to the service is slower because of estabilishing security context.
If you do not follow this approach you can for example implement custom SOAP header and message inspetor which will include the header on the client side and check the header on the server side. This solution is completely outside of WCF security pipeline and cannot be combined with common user name and password in WCF. You must send user name and password separately as well.
If you want to include custom solution in WCF pipeline you can expect very complex task because integrating such solution to WCF security pipeline requires custom authorization policy, cutom token, token manager, token authenticator, token resolver and client credentials.
But as I understand your problem you don't like setting credentials before each call - it means you are using new proxy for each call. So you will write a lot of code which will result in fact that you will not need to set user name and password for subsequent calls but you will have to set custom token which will be validate on the service. You will also have to manage these tokens on the service.
It should be probably easier to create some wrapper for calling web service which will set user name and password.
Good pattern is to send session token from service to client after authorization and then send it with every call instead of credentials.
精彩评论