I have a WCF 3.5 service and it runs great. It is using basicHttpBinding and IIS 7 hosted. I'd like to add some minimal security to it, maybe a username and a password. Can someone give me some really basic instructions? What do I need to add to my web.config file?
A:
That's a very large topic.
This article is on wcf authentication with examples.
marr75
2009-11-18 15:35:56
+1
A:
The WCF Security Guidance is a really good place to start - with lots of scenarios, samples, explanations and more.
For basic username/password authentication over basicHttpBinding, you need to have several pieces in place:
- enable the username/password on the client (config or code)
actually set the username/password on the client before each call (only in code)
define how to validate the username/password coming in on the server side - your options are validating against Active Directory (e.g. all your callers need to have an AD account with you in your domain), validate against the ASP.NET membership database, or roll your own
- install a certificate for the service on the server side, so that your messages can be protected (encrypted and signed)
This how-to "How To – Use Username Authentication with the SQL Server Membership Provider and Message Security in WCF from Windows Forms" basically does what you're looking for - the concrete example is for wsHttp, but it should work for basicHttpBinding as well
marc_s
2009-11-18 16:14:25
thanks, I think this should help.
Scott
2009-11-19 00:29:20