WCF custom userName authentication using HTTP

wcf security http username
Ron picture Ron · Oct 10, 2012 · Viewed 9.7k times · Source

I am trying to configure my WCF service to use a custom username validator over HTTP and my ASP.NET Development server. Following are the parts of the serviceModel...

<basicHttpBinding>
    <binding name="Authentication" >
      <security mode="TransportCredentialOnly" >
        <message clientCredentialType="UserName"/>
      </security>
    </binding>
</basicHttpBinding>

  <service behaviorConfiguration="ApiBehavior" name="CriticalWatch.AuthenticationAPI.AuthenticationAPI">
    <endpoint address="/" binding="basicHttpBinding" bindingConfiguration="AuthenticationBinding" name="Authentication" contract="CriticalWatch.AuthenticationAPI.IAuthenticationAPI" />
  </service>

I then have a behavior for the validator...

  <serviceBehaviors>
    <behavior name="ApiBehavior">
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Service.CustomUserNameValidator, MyService" />
      </serviceCredentials>

    </behavior>
  </serviceBehaviors>

My CustomUserNameValidator inherits from the UserNamePasswordValidator. The validator class gets instantiated, but the Validate method is never called. Plus, the client can call the method without passing any username and password.

What am I missing?

At this time, I want a solution that does not require HTTPS. I want to rely on the username and password passed with the message.

Answer

Anthony Sneed picture Anthony Sneed · Oct 11, 2012

Also, see my blog post on how to implement a binding that will allow you to pass username and password over HTTP without SSL: http://blog.tonysneed.com/2012/06/18/building-scalable-and-secure-wcf-services/ Keep in mind, however, it's not a good idea to pass credentials in the clear over a non-secure transport. The technique I describe assumes you are using another mechanism, such as IPSec, to secure the transport, and it is useful for a load balancer that supports SSL termination for better scalability.

To specifically address your scenario, I would recommend that you bite the bullet and set up your development environment with SSL so that you can use the HTTPS binding with WCF and your username-password validator. This is much easier than implementing a custom binding element and is not as difficult as you might think. In fact, if you have IIS Express installed, you get a self-signed certificate that you can easily use as a certificate on IIS, or with a Windows Service.

Cheers, Tony Sneed

Related questions

Best Practices for securing a REST API / web service

When designing a REST API or service are there any established best practices for dealing with security (Authentication, Authorization, Identity Management) ? When building a SOAP API you have WS-Security as a guide and much literature exists on the topic. I …

Read More
WCF - Windows authentication - Security settings require Anonymous

I am struggling hard with getting WCF service running on IIS on our server. After deployment I end up with an error message: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application …

Read More
The HTTP request was forbidden with client authentication scheme 'Anonymous'

This seams to be a common problem, and I have looked at all the answers here but none have helped. I am trying to get SSL to work with basichttpbinding and WCF service hosted on iis. I think the problem …

Read More