All geek questions in one place

WCF security, user password without certificate

I am new to WCF . I'm used to * .asmx, but it will become obsolete, so I decided to dive into WCF. I want simple authentication of the username and password for my service, but everywhere on the Internet this is all about X509 certificates. I would like to host my service in IIS , so I will enable SSL .

I followed some welcome WCF world tutorials, but got a little confused with all the new things, datacontract, OperationContract, ServiceContract, required interfaces, all the links in web.config , basicHttpBinding, etc.

I am now in File -> New project -> Visual C# -> WCF -> WCF Service Application

I have a peculiar hello world application, and I would like to know what is the best and easiest way - to provide it. I read so many different things that I just donโ€™t know what is best for my situation.

The service hosted on IIS will be available on the Internet (with ssl enabled) and usernames and passwords that I would like to send to a few trusted people.

Please consult me โ€‹โ€‹about the easiest and most suitable security.

Edit I am trying to follow this blogpost: http://codebetter.com/petervanooijen/2010/03/22/a-simple-wcf-service-with-username-password-authentication-the-things-they-don-t- tell-you / but I have problems publishing metadata. I assume there is an error in my web.config

 <system.serviceModel> <services> <service behaviorConfiguration="WcfServiceSimStars.MyServiceTypeBehaviors" name="FarmService.CustomerDeskOperations"> <endpoint address="" binding="wsHttpBinding" bindingConfiguration="RequestUserName" contract="WcfServiceSimStars.ISimService" /> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/> </service> </services> <bindings> <wsHttpBinding> <binding name="RequestUserName" > <security mode="Message"> <message clientCredentialType="UserName"/> </security> </binding> </wsHttpBinding> </bindings> <client> <endpoint address="http://mytestserver/simservice.svc" binding="WSHttpBinding" bindingConfiguration="WSHttpBinding_ISimService" contract="WcfServiceSimStars.ISimService" name="WSHttpBinding_ISimService" /> </client> <behaviors> <serviceBehaviors> <behavior name="WcfServiceSimStars.MyServiceTypeBehaviors"> <serviceMetadata httpGetEnabled="true"/> <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WcfServiceSimStars.UserValidatorr, WcfServiceSimStars" /> <serviceCertificate findValue="Farm" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" /> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> <serviceHostingEnvironment multipleSiteBindingsEnabled="true" /> </system.serviceModel>

and my solution explorer:

solution explorer

Edit 2: I tried to open my web.config using the Microsoft Service Configuration Editor from the visual studio tool menu and got this error:

Microsoft Service Configuration Editor

+6
source share
1 answer

If you want to use SSL, you will need to use X509 certificates.

If you are going to host it in IIS and enable SSL, you need to provide a certificate, for debugging purposes you can create a self-signed certificate from IIS.

After you configure it in IIS, you will need to edit the WCF binding to enable SSL.

You will need a binding with the security mode transport set

 <basicHttpBinding> <binding name="SecureBinding" receiveTimeout="01:00:00"> <security mode="Transport" /> </binding> </basicHttpBinding>

and safe behavior, the following indicates the ssl certificate to be used.

 <behaviors> <serviceBehaviors> <behavior name="SecureBehavior"> <serviceMetadata /> <serviceCredentials> <serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /> </serviceCredentials> </behavior> <behavior name="StandardBehavior"> </behavior> </serviceBehaviors> </behaviors>

you need to create a secure endpoint

 <services> <service behaviorConfiguration="SecureBehavior" name="secureService"> <endpoint address="" binding="basicHttpBinding" bindingConfiguration="SecureBinding" contract="<Your webservice class name including namespace>" /> <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" /> </service>

This will allow you to use SSL on your site after it is hosted.

To connect from your client, you should use the following (assuming C #)

 BasicHttpBinding binding = new BasicHttpBinding(); binding.Security.Mode = BasicHttpSecurityMode.Transport; EndPointAddress endpointAddress = new EndpointAddress("Your Service address (including HTTPS)"); Client svc = new Client(binding,endpointAddress)

Another method would be to use encryption instead of SSL. Encrypt the password on the client side and send the encrypted data to the service, I'm not sure of the best practice for this.

Hope this helps

EDIT

If you want to send the username and password to the service, you just need to create a new method inside the service.

In the interface file (IService1.cs) you define an operation contract

 [OperationContract] bool Login(string password,string username);

then you must create a method in the service class (Service1.svc)

 public bool Login(string password,string username) { //Your Code to check the username and password here }

This is probably the easiest way to do this. Another tricky way would be to use a custom membership provider to authenticate users.

You will need to create a class that inherits from MembershipProvider and override the ValidateUser method

 public class SampleMembershipProvider : MembershipProvider { public override bool ValidateUser(string username, string password) { //check the username and password here } //No need to override the other methods just leave them .... }

now you need to tell webconfig about the use of forms authentication and use the custom member role provider

 <authentication mode="Forms" /> <membership defaultProvider="CustomMembershipProvider"> <providers> <clear /> <add name="CustomMembershipProvider" type="SampleApplication.CustomMembershipProvider" /> </providers> </membership>

Now that you have your member set, you can change your login code from the top to the following code, this code will authenticate the user and set an authorization cookie.

 public bool Login(string password,string username) { if (Membership.ValidateUser(username, password)) { FormsAuthentication.SetAuthCookie(username, false); return true; } return false; }

Now, when you call the method on your service, you can check if the user authentication has passed, and if you can run this command, otherwise not.

 bool DoWork() { if (HttpContext.Current.User.Identity.IsAuthenticated) { //do something return true; } else { return false; } }

Let me know if you need me to clarify anything.

+15
source

Source: https://habr.com/ru/post/892046/

More articles:


All Articles