WCF Security:authentication based on Username/Password - Part I
Goals:
To enhancement security of WCF webservice, we need to authenticate the client of our WCF webservice. In the case of Sentry Project, we choose to authenticate the client of WCF webservice base on username/password,via a custom UserNamePasswordValidator type.
We need a Declarative mode by setting configurations of WCF and the client.
Questions:
While researching, I encountered the following troubles:
1. While chosen “Username” option with Message Security, WCF limits the use of usernames to SSL or x.509 enabled only. The following is a official statement:
Username. When using this option, the caller provides a username and password to the service. The service can either authenticate against Windows credentials, use a membership provider such as the SQL Server membership provider, or use a custom validator to validate against the custom store. You should choose this option only when Windows authentication is not possible. The service is authenticated by using a service certificate.
The following list show you the frequent errors caused by incorrect config.
Error Message |
BasicHttp binding requires that BasicHttpBinding.Security.Message.ClientCredentialType be equivalent to the BasicHttpMessageCredentialType.Certificate credential type for secure messages. Select Transport or TransportWithMessageCredential security for UserName credentials. |
Incorrect Config |
<basicHttpBinding> <binding name="FileTransferBinding"> <security mode="Message"> <message clientCredentialType="UserName"/> security> binding> basicHttpBinding> |
Correct Config |
<basicHttpBinding> <binding name="FileTransferBinding"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName"/> security> binding> basicHttpBinding> |
Error Message |
The service certificate is not provided. Specify a service certificate in ServiceCredentials. |
Incorrect Config |
<wsHttpBinding> <binding name="FileTransferMessageSecurity"> <security mode="Message"> <message clientCredentialType="UserName" /> security> binding> wsHttpBinding> |
Correct Config |
<wsHttpBinding> <binding name="FileTransferMessageSecurity"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName" /> security> binding> wsHttpBinding> |
Error Message |
Security settings for this service require Windows Authentication but it is not enabled for the IIS application that hosts this service. |
Incorrect Config |
<wsHttpBinding> <binding name="FileTransferMessageSecurity"> <security mode="Transport"> <message clientCredentialType="UserName" /> security> binding> wsHttpBinding> |
Correct Config |
<wsHttpBinding> <binding name="FileTransferMessageSecurity"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName" /> security> binding> wsHttpBinding> |
Error Message |
A binding instance has already been associated to listen URI ''. If two endpoints want to share the same ListenUri, they must also share the same binding object instance. The two conflicting endpoints were either specified in AddServiceEndpoint() calls, in a config file, or a combination of AddServiceEndpoint() and config. |
Incorrect Config |
<services> <service behaviorConfiguration="DataDistribution.ServiceImplementation.DataDistributionService_Behavior" name="DataDistribution.ServiceImplementation.DataDistributionService"> <endpoint address="" binding="basicHttpBinding" bindingConfiguration="FileTransferBinding" name="DefaultEndpoint" bindingNamespace="urn:Ais.Sentry.Services.ServiceContracts" contract="DataDistribution.ServiceContracts.IDataDistributionService"/> <endpoint address="" binding="wsHttpBinding" bindingConfiguration="FileTransferMessageSecurity" name="SecureEndpoint" bindingNamespace="urn:Ais.Sentry.Services.ServiceContracts" contract="DataDistribution.ServiceContracts.IDataDistributionService" /> service> services> |
Correct Config |
<services> <service behaviorConfiguration="DataDistribution.ServiceImplementation.DataDistributionService_Behavior" name="DataDistribution.ServiceImplementation.DataDistributionService"> <endpoint address="" binding="basicHttpBinding" bindingConfiguration="FileTransferBinding" name="DefaultEndpoint" bindingNamespace="urn:Ais.Sentry.Services.ServiceContracts" contract="DataDistribution.ServiceContracts.IDataDistributionService"/> service> services> |
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/13651903/viewspace-1033651/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- python urllib socks5 auth username password 設定Python
- sqlplus / as sysdba報錯ORA-01017: invalid username/password; logon deniedSQLGo
- 【YashanDB資料庫】YAS-02143 invalid username/password, login denied資料庫
- 關於Support for password authentication 報錯的解決方案
- MySQL authentication plugin 'caching_sha2_password' cannot be loaded 問題MySqlPlugin
- Part I Concepts and Administration
- SourceTreet提交時顯示remote: Incorrect username or password ( access token )(4種解決辦法)REM
- MGR無法連線主節點Authentication plugin 'caching_sha2_password'Plugin
- spring boot 2.0 整合 security oauth2 password 模式和credentials 模式Spring BootOAuth模式
- Improved Security for a Ring-Based Fully Homomorphic Encryption Scheme-2013:解讀Scheme
- 【做題記錄】ds合集 Part I
- Oracle 20C Concepts(Part I-2)Oracle
- Part I Multitenant Architecture (多租戶結構)NaN
- URL username 屬性
- Part I Basic Database Administration (資料庫基本管理)Database資料庫
- Risk Based Security三季度漏洞快報:近50%可被遠端利用
- 【Lintcode】1789. Distinguish UsernameNGUI
- WCF系列教程地址
- WCF雙工通訊
- C# WCF入門C#
- Java與WCF互動(一):Java客戶端呼叫WCF服務 (轉)Java客戶端
- WCF服務端的.NET Core支援專案Core WCF 正式啟動服務端
- fatal: Authentication failedAI
- Django中的函式make_password、set_password和check_passwordDjango函式
- 用神經網路模型給你的照片打分(Part I)神經網路模型
- [WCF許可權控制]利用WCF自定義授權模式提供當前Principal模式
- no-wwwtl622com17008768000-password never prompt for password
- Risk Based Security:預計2020年披露的電腦保安漏洞數量將超過2019年
- 艾偉:WCF安全之EndPointIdentityIDE
- IIS部署WCF詳細教程
- Network sniffing and identity authenticationIDE
- iOS Password AutoFilliOS
- Password Storage - UserDetailsAI
- 學習WCF之路,長期更新
- Part I CDB中容器概述01-Oracle多租戶管理員指南Oracle
- 動態尺寸模型最佳化實踐之Shape Constraint IR Part I模型AI
- Hexo 部落格部署失敗 could not read UsernameHexo
- Physically Based Rendering
- URL password 屬性