WCF Security:Silverlight authentication for WCF service based on security token

In my previous blogs I show you how to authenticate WCF service client base on username/password. That is very available for ASP.Net client. But with Silverlight client, it is not available. THe Silverlight application is running on the remote machine of end users, it is not acceptable to transfer usename/password in cleartext in the wire. In addition, Silverlight supports BasicHttpBinding only,so security in transport level is not supported.

In order to authenticate Silverlight caller for WCF service, we need to generate a security token from username,password and a timestamp. The security token is a encrypted text, so we can transfer it over the network securely.

Then another question comes out. How can we pass in the security token in Silverlight application, and how can WCF service retrieve and validate it? The key points are System.ServiceModel.Dispatcher.IClientMessageInspector and System.ServiceModel.Dispatcher.IDispatchMessageInspector.

Create implementations for System.ServiceModel.Dispatcher.IClientMessageInspector and System.ServiceModel.Dispatcher.IDispatchMessageInspector. Respectively, these implementations will “inspect” the message before it is sent, and after it is received; It is during these steps that the header can be injected and read.

Thanks to the authors of the following blogs.

http://problog.jamespritz.com/2009/05/17/custom-headers-in-wcf.aspx

http://weblogs.asp.net/paolopia/archive/2007/08/23/writing-a-wcf-message-inspector.aspx

[@more@]