tags:

views:

53

answers:

1
Q: 

WCF basicHttpBinding authenticating using username & password like in ASMX web services.

Hi,

I am implementing wcf web service hosting in IIS with basicHttpBinding those should be accesseble by .net 2.0 client like accessing ASMX services.

Any body can help with details & with few example/sample code.

thanks
nRk

+1  A: 

WCF is more secure than ASMX and insists the basic fact that it never allows you to send plain-text credentials without encrypting those.

You need to ask yourself a few qusetions here:

  • how do I protect my messages going from the client to the server, so that the username/password is not sent as plain text?
  • how do I check the validity of the username/password once the message arrives at the server?

For the first point, you can do a number of things:

  • secure the transport layer, e.g. use HTTPS (with SSL) to protect the entire pipe going from the client to the server. In that case, you don't have to do much else - the whole communication channel is protected

  • secure the message (at least the username/password part) using encryption. In that case, you need to have at least a service certificate on the server, so that the calling client has a shared secret to encrypt the message - or you need to install a certificate on the client (usually not a good idea if you want everyone to call your service)

For the authentication part, you need to decide on:

  • using the ASP.NET membership subsystem which already has a user table against which you can validate the credentials provided

  • or roll your own from scratch - not recommended unless you really really have to and have a very specific need

WCF security is not an easy topic - you can find helpful information and scenarios on how to do certain things here:

With just the few pieces of information you provided, one cannot really give a "do this and that" kind of answer. You need to read up on WCF security and decide on what scenario you want to implement. I'm sure folks here can help you with more specific questions about how to achieve certain things in WCF security, if your questions are more focused on a particular problem / issue.

marc_s  2009-12-27 09:12:16

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability