WCF Security:authentication base on Username/Password - Part III

1. By now ,we know how to config our WCF webservice and client so that it can work base on Usename authentication,with either basicHttpBinding or wsHttpBinding. Note the security mode. Using Transport only would leave us no options for a custom username / password scenario; basic and digest both don’t play nice with WCF's custom username / password mechanism. Ideal would be Message security, but the combination of Message security and basicHttpBinding doesn’t support a username / password scenario. That leaves us with one option that supports a WCF custom username / password scenario and can be used with a basicHttpBinding, namely TransportWithMessageCredential. This option means that the credentials are part of the SOAP message, but are stored in plain text. Because storing the credentials in plain text is unsecure, a secure connection is mandatory, for http this means SSL. So this option really is a combination of transport security (SSL) and credentials inside the message, hence the name TransportWithMessageCredential I guess :).

next ,I will show you how to config IIS7.0 with SSL enabled.

IIS Manager

Obtain a Certificate

Select the server node in the treeview and double-click the Server Certificates feature in the listview:

Click Create Self-Signed Certificate... in the Actions pane.

Enter a friendly name for the new certificate and click OK.

Now you have a self-signed certificate. The certificate is marked for "Server Authentication" use; i.e. use as a server-side certificate for HTTP SSL encryption and for authenticating the identity of the server.

Create an SSL Binding

Select a site in the treeview and click Bindings... in the Actions pane. This brings up the bindings editor that lets you create, edit, and delete bindings for your website. Click the Add... button to add your new SSL binding to the site.

New bindings default to http on port 80. Select https in the Type drop-down. Select the self-signed certificate you created earlier from the SSL Certificate drop-down and click OK.

Now you have a new SSL binding on your site and all that remains is to verify that works.

Verify the SSL Binding

Look in your site's Actions pane for a link that will browse your site over your new HTTPS binding. Click this link to test your new binding.

IE7 will show you a error page because the self-signed certificate was issued by your machine, not a trusted Certificate Authority (CA). IE7 will trust the certificate if you add it to the list of Trusted Root Certification Authorities in the certificates store on the local machine or in Group Policy for the domain. Click Continue to this website (not recommended).

Configure SSL Settings

Configure SSL settings if you want your site to require SSL, or to interact in a specific way with client certificates. Click the site node in the treeview to go back to the site's home page. Double-click the SSL Settings feature in the middle pane.

2. Conclusion:

To use custom username/password authentication, the following pre-conditions are required.

1) 1) IIS7.0 with SSL enabled.

2) 2) IIS authentication settings :

Anonymous authentication – Enabled

ASP.NET Impersonation authentication - N/A

Basic authentication – Disabled

Digest authentication – Disabled

Forms authentication – Enabled

Windows authentication - Disabled

3) 3) Service and client side configuration:

<bindings>

<basicHttpBinding>

<binding name="FileTransferBinding">

<security mode ="TransportWithMessageCredential">

<message clientCredentialType="UserName"/>

security>

binding>

basicHttpBinding>

<wsHttpBinding>

<binding name="FileTransferTransportSecurity">

<security mode="TransportWithMessageCredential">

<message clientCredentialType="UserName" />

security>

binding>

wsHttpBinding>

bindings>

<behaviors>

<serviceBehaviors>

<behavior name="DataDistribution.ServiceImplementation.DataDistributionService_Behavior">

<serviceDebug includeExceptionDetailInFaults="true" />

<serviceMetadata httpsGetEnabled="true" />

<serviceCredentials>

<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="DataDistribution.ServiceImplementation.UserValidator, DataDistribution.ServiceImplementation" />

serviceCredentials>

behavior>

serviceBehaviors>

behaviors>

This is achieved by setting the "userNamePasswordValidationMode" to "Custom" and the "customUserNamePasswordValidatorType" to a type that can perform our custom validation. The format is {FullyQualifiedTypeName, AssemblyName}.

4) Implement a custom validator class

Here is a couple of rules for this class:

· In order to be used as a custom username / password validator, it must be derived from the UserNamePasswordValidator class.

· Perform authentication by overriding the Validate method.

If validation fails, throw a SecurityTokenException if you want a non informative message or a FaultException if you want a informative message. If validation succeeds, just do nothing. [@more@]

来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/13651903/viewspace-1033655/，如需转载，请注明出处，否则将追究法律责任。

转载于:http://blog.itpub.net/13651903/viewspace-1033655/