WCF Intranet Security Configuration

We have some applications (web and WPF) that call WCF services to access data. We are not using Windows Authentication. The user is prompted for a username and password when logging into the web app or WPF desktop app. The data is not highly confidential (i.e. no credit cards, SSN, etc.).

We would like to use BasicHttpBinding for the WCF开发者_如何学C endpoints. However, we want to pass a username and password to our WCF services so that we can restrict access to certain data depending on the user.

My question is, since we are 100% in an intranet environment would it be reasonable to simply pass the user's username and password in the header of the SOAP messages so that we can authentic the users on the WCF side? This seems like a very common situation and I'm curious how others have addressed security on the WCF side when all applications and services reside in an intranet environment.

Thanks.

It seems like pretty easy task but in reality it is quite hard because WCF team has already made decission that sending plain text user name token over unsecured channel is not allowed. You can always send user name and password in custom SOAP header but in that case you will lose WCF security infrastructure and you will have to inject your own password validation behavior etc.

If you really need plain text user name token you should check this binding.

Edit: Btw. remember that the most security attacks came from insiders so using HTTPS is not bad decission and it will make things much easier.

Yes, this would be reasonable--HOWEVER: you should encrypt the password, even though you are on an intranet. Anyone using a network sniffer, such as WireShark, can see the text of the communication, and if you have not encrypted the password, then even if they are employees, they will be able to get the passwords--completely defeating any internal security--that is, unless you trust your employees so much that usernames and passwords really don't mean anything, anyhow.

If your using wcf 3.5 sp1 you can allow user name and passwords across a none secure binding just set the security transport's AllowInsecureTransport to true.

Password should never be sent in plain text. Some people use the same password for different things. Stealing someone's password could lead to a serious case of identity theft, even though your application my never be compromised (and the victim won't even know the source of the leak).

There's a reason passwords are hashed - even the computer shouldn't know your password!