开发者

WCF Authentication: Custom Username and Password Validator asp.net

is it necessary to create a service certificate to use custom username and password authentication? I want to authenticate my WCF service with custom username and password.

My Service web.config is as follows:

<system.serviceModel>
    <bindings>
        <wsHttpBinding>`enter code here`
            <binding name="NewBinding0">
                <security mode="Message">
                    <transport clientCredentialType="Basic" />
                    <message clientCredentialType="UserName" />
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <services>
        <service behaviorConfiguration="WcfTest.Service1Behavior" name="WcfTest.TestService">
            <endpoint address="" binding="wsHttpBinding" contract="WcfTest.ITestService" />
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
        </service>
    </services>
    <behaviors>
        <endpointBehaviors>
            <behavior name="NewBehavior" />
        </endpointBehaviors>
        <serviceBehaviors>
            <behavior name="WcfTest.Service1Behavior">
                <serviceMetadata httpGetEnabled="false" />
                <serviceDebug includeExceptionDetailInFaults="false" />
                <serviceCredentials>   
                    <!-- Use our own custom validation -->
                    <userNameAuthentication userNamePasswordValidationMode="Custom"
                     customUserNamePasswordValidatorType="MyValidator,WcfTest"/>
                </serviceCredentials>
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

and Client Web.config is:

<system.serviceModel>
    <bindings>
        <wsHttpBinding>
            <binding name="WSHttpBinding_ITestService" closeTimeout="00:01:00"
                 开发者_JAVA百科    openTimeout="00:01:00" receiveTimeout="00:10:00" 
                     sendTimeout="00:01:00" bypassProxyOnLocal="false" 
                     transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                     maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                     messageEncoding="Text" textEncoding="utf-8" 
                     useDefaultWebProxy="true" allowCookies="false">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" 
                              maxArrayLength="16384" maxBytesPerRead="4096" 
                              maxNameTableCharCount="16384" />
                <reliableSession ordered="true" inactivityTimeout="00:10:00"
                                 enabled="false" />
                <security mode="Message">
                    <transport clientCredentialType="Windows" proxyCredentialType="None"
                               realm="" />
                    <message clientCredentialType="UserName" 
                             negotiateServiceCredential="true"
                             algorithmSuite="Default" 
                             establishSecurityContext="true" />
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://localhost:2374/Service1.svc" binding="wsHttpBinding"
                  bindingConfiguration="WSHttpBinding_ITestService" 
                  contract="ServiceReference1.ITestService"
                  name="WSHttpBinding_ITestService">
            <identity>
                <userPrincipalName value="NYSA31\abc" />
            </identity>
        </endpoint>
    </client>
</system.serviceModel>

But i am getting following error accessing the service.

WCF Authentication: Custom Username and Password Validator asp.net


WsHttpBinding demands service certificate. WCF 4 (and older versions with special KB) allows exposing service authenticated with UserName and password without certificate but do you really want it? It means that user name and password will go in the plain text over the wire = no security because anybody who will capture the packet will be able to authenticate with stolen credentials.

To use user name password without certificate you need custom binding or you can use ClearUserNameBinding.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜