WCF Security:authentication based on Username/Password - Part I

yuzhangqi發表於2010-05-17

Goals:

To enhancement security of WCF webservice, we need to authenticate the client of our WCF webservice. In the case of Sentry Project, we choose to authenticate the client of WCF webservice base on username/password,via a custom UserNamePasswordValidator type.

We need a Declarative mode by setting configurations of WCF and the client.

Questions:

While researching, I encountered the following troubles:

1. While chosen “Username” option with Message Security, WCF limits the use of usernames to SSL or x.509 enabled only. The following is a official statement:

Username. When using this option, the caller provides a username and password to the service. The service can either authenticate against Windows credentials, use a membership provider such as the SQL Server membership provider, or use a custom validator to validate against the custom store. You should choose this option only when Windows authentication is not possible. The service is authenticated by using a service certificate.

The following list show you the frequent errors caused by incorrect config.

Error Message

BasicHttp binding requires that BasicHttpBinding.Security.Message.ClientCredentialType be equivalent to the BasicHttpMessageCredentialType.Certificate credential type for secure messages. Select Transport or TransportWithMessageCredential security for UserName credentials.

Incorrect Config

<basicHttpBinding>

<binding name="FileTransferBinding">

<security mode="Message">

<message clientCredentialType="UserName"/>

security>

binding>

basicHttpBinding>

Correct Config

<basicHttpBinding>

<binding name="FileTransferBinding">

<security mode="TransportWithMessageCredential">

<message clientCredentialType="UserName"/>

security>

binding>

basicHttpBinding>

Error Message

The service certificate is not provided. Specify a service certificate in ServiceCredentials.

Incorrect Config

<wsHttpBinding>

<binding name="FileTransferMessageSecurity">

<security mode="Message">

<message clientCredentialType="UserName" />

security>

binding>

wsHttpBinding>

Correct Config

<wsHttpBinding>

<binding name="FileTransferMessageSecurity">

<security mode="TransportWithMessageCredential">

<message clientCredentialType="UserName" />

security>

binding>

wsHttpBinding>

Error Message

Security settings for this service require Windows Authentication but it is not enabled for the IIS application that hosts this service.

Incorrect Config

<wsHttpBinding>

<binding name="FileTransferMessageSecurity">

<security mode="Transport">

<message clientCredentialType="UserName" />

security>

binding>

wsHttpBinding>

Correct Config

<wsHttpBinding>

<binding name="FileTransferMessageSecurity">

<security mode="TransportWithMessageCredential">

<message clientCredentialType="UserName" />

security>

binding>

wsHttpBinding>

Error Message

A binding instance has already been associated to listen URI ''. If two endpoints want to share the same ListenUri, they must also share the same binding object instance. The two conflicting endpoints were either specified in AddServiceEndpoint() calls, in a config file, or a combination of AddServiceEndpoint() and config.

Incorrect Config

<services>

<service behaviorConfiguration="DataDistribution.ServiceImplementation.DataDistributionService_Behavior" name="DataDistribution.ServiceImplementation.DataDistributionService">

<endpoint address="" binding="basicHttpBinding" bindingConfiguration="FileTransferBinding" name="DefaultEndpoint" bindingNamespace="urn:Ais.Sentry.Services.ServiceContracts" contract="DataDistribution.ServiceContracts.IDataDistributionService"/>

<endpoint address="" binding="wsHttpBinding" bindingConfiguration="FileTransferMessageSecurity" name="SecureEndpoint" bindingNamespace="urn:Ais.Sentry.Services.ServiceContracts" contract="DataDistribution.ServiceContracts.IDataDistributionService" />

service>

services>

Correct Config

<services>

<service behaviorConfiguration="DataDistribution.ServiceImplementation.DataDistributionService_Behavior" name="DataDistribution.ServiceImplementation.DataDistributionService">

<endpoint address="" binding="basicHttpBinding" bindingConfiguration="FileTransferBinding" name="DefaultEndpoint" bindingNamespace="urn:Ais.Sentry.Services.ServiceContracts" contract="DataDistribution.ServiceContracts.IDataDistributionService"/>

service>

services>

[@more@]

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/13651903/viewspace-1033651/,如需轉載,請註明出處,否則將追究法律責任。

相關文章