I am trying to configure my WCF service to use a custom username validator over HTTP and my ASP.NET Development server. Following are the parts of the serviceModel...
<basicHttpBinding>
<binding name="Authentication" >
<security mode="TransportCredentialOnly" >
<message clientCredentialType="UserName"/>
</security>
</binding>
</basicHttpBinding>
<service behaviorConfiguration="ApiBehavior" name="CriticalWatch.AuthenticationAPI.AuthenticationAPI">
<endpoint address="/" binding="basicHttpBinding" bindingConfiguration="AuthenticationBinding" name="Authentication" contract="CriticalWatch.AuthenticationAPI.IAuthenticationAPI" />
</service>
I then have a behavior for the validator...
<serviceBehaviors>
<behavior name="ApiBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Service.CustomUserNameValidator, MyService" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
My CustomUserNameValidator inherits from the UserNamePasswordValidator. The validator class gets instantiated, but the Validate method is never called. Plus, the client can call the method without passing any username and password.
What am I missing?
At this time, I want a solution that does not require HTTPS. I want to rely on the username and password passed with the message.
Also, see my blog post on how to implement a binding that will allow you to pass username and password over HTTP without SSL: http://blog.tonysneed.com/2012/06/18/building-scalable-and-secure-wcf-services/ Keep in mind, however, it's not a good idea to pass credentials in the clear over a non-secure transport. The technique I describe assumes you are using another mechanism, such as IPSec, to secure the transport, and it is useful for a load balancer that supports SSL termination for better scalability.
To specifically address your scenario, I would recommend that you bite the bullet and set up your development environment with SSL so that you can use the HTTPS binding with WCF and your username-password validator. This is much easier than implementing a custom binding element and is not as difficult as you might think. In fact, if you have IIS Express installed, you get a self-signed certificate that you can easily use as a certificate on IIS, or with a Windows Service.
Cheers, Tony Sneed