tags:

views:

4790

answers:

6
+7  Q: 

How to configure secure RESTful services with WCF using username/password + SSL

I'm looking to write a config file that allows for RESTful services in WCF, but I still want the ability to 'tap into' the membership provider for username/password authentication.

The below is part of my current config using basicHttp binding or wsHttp w/out WS Security, how will this change w/ REST based services?

 <bindings>
  <wsHttpBinding>
   <binding name="wsHttp">
    <security mode="TransportWithMessageCredential">
     <transport/>
     <message clientCredentialType="UserName" negotiateServiceCredential="false" establishSecurityContext="false"/>
    </security>
   </binding>
  </wsHttpBinding>
  <basicHttpBinding>
   <binding name="basicHttp">
    <security mode="TransportWithMessageCredential">
     <transport/>
     <message clientCredentialType="UserName"/>
    </security>
   </binding>
  </basicHttpBinding>
 </bindings>
 <behaviors>
  <serviceBehaviors>
   <behavior name="NorthwindBehavior">
    <serviceMetadata httpGetEnabled="true"/>
    <serviceAuthorization principalPermissionMode="UseAspNetRoles"/>
    <serviceCredentials>
     <userNameAuthentication userNamePasswordValidationMode="MembershipProvider"/>
    </serviceCredentials>
   </behavior>
  </serviceBehaviors>
 </behaviors>
+1  A: 

Before you continue down this path of fighting to implement REST over WCF, I suggest you read this post by Tim Ewald. I was especially impacted by the following statement:

I'm not sure I want to build on a layer designed to factor HTTP in on top of a layer that was designed to factor it out.

I've spent the last 12 months developing REST based stuff with WCF and that statement has proven itself to be so true over and over again. IMHO what WCF brings to the table is outweighed by the complexity it introduces for doing REST work.

Darrel Miller  2008-09-27 14:50:32
I'm very glad to know I'm not the only one to notice this! There are many good things about WCF, but the REST support has given me quite a bit of trouble.
tomasr  2008-09-28 13:46:52
Was WCF designed to factor HTTP out? HTTP is just one of the transport options.
pc1oad1etter  2009-11-20 20:56:30
Exactly. HTTP is a protocol for distributed applications. WCF is designed to allow you to build distribution applications in a way that is agnostic of the protocol.
Darrel Miller  2009-11-21 23:27:21
@pc1oad1etter HTTP is not a Transport protocol. HTTP stands for HyperText Transfer protocol.
Darrel Miller  2009-11-21 23:28:52
@Darrel -- look, we've 'met' before!
pc1oad1etter  2010-09-21 17:47:52
+2  A: 

I agree with Darrel that complex REST scenarios over WCF are a bad idea. It just isn't pretty.

However, Dominick Baier has some good posts about this on his least privilege blog.

If you'd like to see WSSE authentication support with fallback to FormsAuthenticationTicket support on WCF, check out the source code of BlogService.

JarrettV  2008-09-29 15:23:51
+3  A: 

Here's a podcast on securing WCF REST services with the ASP.net membership provider:

http://channel9.msdn.com/posts/rojacobs/endpointtv-Securing-RESTful-services-with-ASPNET-Membership/

dpp  2008-10-04 14:30:07
+1  A: 

Regardless if the community has opinions against REST on WCF (I'm personally on the fence) Microsoft has taken a swipe at it, http://msdn.microsoft.com/en-us/netframework/cc950529.aspx

MotoWilliams  2008-11-30 19:06:45
+1  A: 

Yes agreed with Moto, a link off the WCF Starter Kit is the closest thing I saw to authentication of credentials using a custom HTTP header (http://msdn.microsoft.com/en-us/library/dd203052.aspx).

However I could not get the example going.

GONeale  2009-01-05 01:22:41
Is the video broken?
pc1oad1etter  2009-11-20 21:33:37
A: 

Try custombasicauth @ codeplex

Elijah Glover  2009-03-22 09:49:13

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?