All geek questions in one place

Webhttpbinding with HTTPS and authentication with UserNamepPasswordValidator when hosted in IIS

I am trying to configure a WCF service hosted in IIS that provides an endpoint that acts like a REST service that creates JSON data, and I want to use HTTPS. I want to authenticate the user myself with UserNamePasswordValidator, since users are stored in the database.

I am currently using webhttpbinding to achieve REST completeness. My problem starts when I try to enable HTTPS (setting security mode to "Transport"). I have a server side SSL certificate (now signed by itself), so that’s all fine, but I don’t know how to configure the clientCredentialType transport bindings so that the credentials are passed to my UserNamePasswordValidator implementation.

I google a lot, but I can’t find anything good. If I understand it correctly, IIS processes authentication before WCF, and there is nothing to do with it? I would prefer not to use the ASP.Net membership provider, but maybe this is an approach or is there another way?

Thanks!

Edit: found this . Not quite what I was hoping for ...

+6
source share
2 answers

After a long search, I found a couple of possible solutions.

The recommended way to enable authentication using RESTful WCF services hosted in IIS seems to be to use tokens. Either using a third-party OAuth implementation, or to implement something of yours. However, this will give me some problems with my nettcp endpoint, and I probably won’t be able to use the same implementation for both endpoints (since I will need to do some token validation on calls coming through the webhttp endpoint )

The decision given by Ladislav Mrnka is also valid.

+1
source

You cannot use UserName credentials - this is message-level authentication through a SOAP header, but JSON data exchange does not have such a header. Try setting the Basic credentials in the transport element (= transport layer authentication). It must work with a custom password for authentication with .NET 3.5 . For successful authentication, you will need to go through the correct HTTP header for basic authentication.

Edit:

I have not tested it using IIS, so there may be some problems because IIS starts authentication before executing a custom validator. In this case, you will need a custom HTTP module for authentication .

+1
source

Source: https://habr.com/ru/post/890584/

More articles:


All Articles