WCF Security:authentication based on Username/Password - Part I
Goals:
To enhancement security of WCF webservice, we need to authenticate the client of our WCF webservice. In the case of Sentry Project, we choose to authenticate the client of WCF webservice base on username/password,via a custom UserNamePasswordValidator type.
We need a Declarative mode by setting configurations of WCF and the client.
Questions:
While researching, I encountered the following troubles:
1. While chosen “Username” option with Message Security, WCF limits the use of usernames to SSL or x.509 enabled only. The following is a official statement:
Username. When using this option, the caller provides a username and password to the service. The service can either authenticate against Windows credentials, use a membership provider such as the SQL Server membership provider, or use a custom validator to validate against the custom store. You should choose this option only when Windows authentication is not possible. The service is authenticated by using a service certificate.
The following list show you the frequent errors caused by incorrect config.
Error Message |
BasicHttp binding requires that BasicHttpBinding.Security.Message.ClientCredentialType be equivalent to the BasicHttpMessageCredentialType.Certificate credential type for secure messages. Select Transport or TransportWithMessageCredential security for UserName credentials. |
Incorrect Config |
<basicHttpBinding> <binding name="FileTransferBinding"> <security mode="Message"> <message clientCredentialType="UserName"/> security> binding> basicHttpBinding> |
Correct Config |
<basicHttpBinding> <binding name="FileTransferBinding"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName"/> security> binding> basicHttpBinding> |
Error Message |
The service certificate is not provided. Specify a service certificate in ServiceCredentials. |
Incorrect Config |
<wsHttpBinding> <binding name="FileTransferMessageSecurity"> <security mode="Message"> <message clientCredentialType="UserName" /> security> binding> wsHttpBinding> |
Correct Config |
<wsHttpBinding> <binding name="FileTransferMessageSecurity"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName" /> security> binding> wsHttpBinding> |
Error Message |
Security settings for this service require Windows Authentication but it is not enabled for the IIS application that hosts this service. |
Incorrect Config |
<wsHttpBinding> <binding name="FileTransferMessageSecurity"> <security mode="Transport"> <message clientCredentialType="UserName" /> security> binding> wsHttpBinding> |
Correct Config |
<wsHttpBinding> <binding name="FileTransferMessageSecurity"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName" /> security> binding> wsHttpBinding> |
Error Message |
A binding instance has already been associated to listen URI ''. If two endpoints want to share the same ListenUri, they must also share the same binding object instance. The two conflicting endpoints were either specified in AddServiceEndpoint() calls, in a config file, or a combination of AddServiceEndpoint() and config. |
Incorrect Config |
<services> <service behaviorConfiguration="DataDistribution.ServiceImplementation.DataDistributionService_Behavior" name="DataDistribution.ServiceImplementation.DataDistributionService"> <endpoint address="" binding="basicHttpBinding" bindingConfiguration="FileTransferBinding" name="DefaultEndpoint" bindingNamespace="urn:Ais.Sentry.Services.ServiceContracts" contract="DataDistribution.ServiceContracts.IDataDistributionService"/> <endpoint address="" binding="wsHttpBinding" bindingConfiguration="FileTransferMessageSecurity" name="SecureEndpoint" bindingNamespace="urn:Ais.Sentry.Services.ServiceContracts" contract="DataDistribution.ServiceContracts.IDataDistributionService" /> service> services> |
Correct Config |
<services> <service behaviorConfiguration="DataDistribution.ServiceImplementation.DataDistributionService_Behavior" name="DataDistribution.ServiceImplementation.DataDistributionService"> <endpoint address="" binding="basicHttpBinding" bindingConfiguration="FileTransferBinding" name="DefaultEndpoint" bindingNamespace="urn:Ais.Sentry.Services.ServiceContracts" contract="DataDistribution.ServiceContracts.IDataDistributionService"/> service> services> |
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/13651903/viewspace-1033651/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- WCF Security:Silverlight authentication for WCF service based on security token
- WCF Services Sample: Authenticate Silverlight Client based on UserName and Passwordclient
- The password supplied with the username Domain\UserName was not correct. Verify that it was entered ...AI
- WCF Services Sample: Authenticate Silverlight Client based on Custom Security Tokenclient
- ITaCS Change Password web partWeb
- Kafka security-Encryption and Authentication using SSLKafka
- python urllib socks5 auth username password 設定Python
- 關於Support for password authentication 報錯的解決方案
- ORA-01017:invalid username/password; logon deniedGo
- spring security oauth2 password授權模式SpringOAuth模式
- ConfigureGC.pl Reports - Invalid Username/Password. (文件 ID 602750.1)GC
- 【YashanDB資料庫】YAS-02143 invalid username/password, login denied資料庫
- MySQL authentication plugin 'caching_sha2_password' cannot be loaded 問題MySqlPlugin
- SourceTreet提交時顯示remote: Incorrect username or password ( access token )(4種解決辦法)REM
- WCF傳輸安全(TransferSecurity)的基本概念和原理:認證(Authentication)[上篇]
- RMAN-04006: error from auxiliary database: ORA-01017: invalid username/password;ErrorUXDatabase
- MGR無法連線主節點Authentication plugin 'caching_sha2_password'Plugin
- AD Administration error:ORA-01017: invalid username/password; logon deniedErrorGo
- 使用Oracle的Security External Password Store功能實現加密登入Oracle加密
- rac2節點上配置iscsi 遇到iscsiadm: failing authentication, received incorrect username from targetAI
- sqlplus / as sysdba報錯ORA-01017: invalid username/password; logon deniedSQLGo
- EBS在測試時報 APP-FND-01516: Invalid application username,password,or database.APPDatabase
- spring boot 2.0 整合 security oauth2 password 模式和credentials 模式Spring BootOAuth模式
- Part I Concepts and Administration
- SQL Profiles-Part I--老熊SQL
- 【做題記錄】ds合集 Part I
- 【DG】搭建DG時報錯:ORA-01017、ORA-17627、ORA-17629 invalid username/password
- Risk Based Security三季度漏洞快報:近50%可被遠端利用
- Oracle Appliactions 11i concepts(八) - Authentication and Integration(1)OracleAPP
- oracle administrator's guide Part IOracleGUIIDE
- URL username 屬性
- Oracle Appliactions 11i concepts(十一) - SecurityOracleAPP
- Part I Multitenant Architecture (多租戶結構)NaN
- 遠端登入sys使用者報錯:ORA-01017: invalid username/password; logon deniedGo
- SYS使用者遠端登入報錯:ORA-01017: invalid username/password; logon deniedGo
- Oracle 20C Concepts(Part I-2)Oracle
- oracle database backup and recovery user's guide part I & IIOracleDatabaseGUIIDE
- ORA-01017: invalid username/password; logon denied ORA-02063: preceding line from TESTGo