WCF -> IIS 7.0 Partial Trust Hosting (.svc) -> BasicHttpBinding -> Authentication (UserName / Password) - > ASP.NET Membership Provider -> No SSL

Question

Basically my requirement is:

• WCF Service Application Hosted on IIS 7.0 with Partial Trust
• Endpoint exposed with BasicHttpBinding
• Would like to enable basic Authentication (UserName / Password)
• Would like to use ASP.NET membership for User Authentication
• I don't want to setup SSL

I have seen some tutorials but they are talking about first enabling the SSL. I am able to create my sample WCF Service and Host is on IIS 7.0 with Partial Trust without any problem. Its just the Authentication part that I am struggling with.

Can anyone provide any assistance or point me to the place where relevant information can be found?

Thanks in advance.

Answer 1

If you are using username / password over basichttpbinding without ssl, then the password is going over the network unencrypted.

I would recomend that you use SSL in this situation.

Yes you can use basic authenication with an asp.net membership provider, see:

http://custombasicauth.codeplex.com/

Answer 2

Actually, I have struggled with this setup over the last 3 months. Turns out this combination will not actually work. Most sites/blogs on the topic deal with making the connection to asp memebership for login and creation of the user context. This does work fine; even over SSL. But when you try to use wcf services with permission attributes and communicate witht them over basicHTTPBinding, it doesn't work. The user context is not sent with the method call. Most people i've talked to have pointed me towards using REST style services instead of WCF.

check out this article. http://www.learn-silverlight-tutorial.com/SecuringSilverlightApplications.cfm

Steve