I am trying to configure a WCF service with built-in authentication. I want to use custom UserNamePasswordValidatorto check for credentials sent in messages.
If I use the standard wsHttpBinding, I can get this without problems using the following configuration:
<wsHttpBinding>
<binding name="wsHttpBinding_Default" maxReceivedMessageSize="2147483647">
<security mode="Message">
<message clientCredentialType="UserName" establishSecurityContext="false" negotiateServiceCredential="false" />
</security>
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />
</binding>
</wsHttpBinding>
Using SoapUI as my test client, I can start my validator by sending the username and password with the parameter WSS-Password Typeto PasswordText.
However, this sends username and password in text form. And WCF does not accept any questions. Here is an example request:
POST https://localhost/AuthenticationService/AuthenticationService.svc HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/soap+xml;charset=UTF-8;action="http://tempuri.org/IAuthenticationService/GetIdentity"
Content-Length: 1060
Host: localhost
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tem="http://tempuri.org/">
<soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-F5AF0BFF1621013979151869690921760">
<wsse:Username>test</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">LoAQmA/vE33hxFD/nDsBrA==</wsse:Nonce>
<wsu:Created>2018-02-15T12:15:09.217Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
<wsa:Action>http://tempuri.org/IAuthenticationService/GetIdentity</wsa:Action>
</soap:Header>
<soap:Body>
<tem:GetIdentity/>
</soap:Body>
</soap:Envelope>
Therefore, it seems to me that WCF ignores the message security part. I understand that every message in WCF message security must be encrypted and signed.
, , , , . , .
WCF ?
EDIT: :
<serviceBehaviors>
<behavior name="AuthenticationServiceBehaviour">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="0e0bab25486677f12fc8abdf1345e5313aec4f67"/>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" trustedStoreLocation="LocalMachine"/>
<certificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="0e0bab25486677f12fc8abdf1345e5313aec4f67"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
, WCF .
, .NET, ( ), , , . , , - .