views:

266

answers:

1

I have implemented a WCF service that uses a TransportWithMessageCredential binding and a custom UserNamePasswordValidator.

I have a Silverlight 3 client connecting to this service. If I set valid credentials it works perfect, however, in the username validator I throw a SecurityTokenException if the username and password does not match.

Now I have implemented a dummy service call just to verify the credentials, is there a "nicer" way of checking the credentials. A service method that accept username and password and returns true/false doesn't feel safe.

A: 

I think you're going about security in the wrong way. there are builtin methods for dealing with this. Look up "Membership Providers". Ex:

http://blogs.msdn.com/brada/archive/2008/05/03/accessing-the-asp-net-authentication-profile-and-role-service-in-silverlight.aspx

vidalsasoon
Doesn't that require the client to do a forms-authentication (or Windows)? In the SL case that is not a problem, but I will have other clients too (e.g. iPhone), that will not authenticate via a web-application. Is it possible to authenticate a caller through web-service calls only, a membership provider could be interesting.
Fredrik Jansson
the link i posted uses a pure WCF authentication service.the client can be anything as long as it supports SOAP web services. look for "AuthenticationService" in the article.
vidalsasoon