WCF security configuration

Question

I have a WCF service self hosted in a console application. I need to use a custom username and password validator (I wrote a class that inherits from UserNamePasswordValidator for this purpose). I need to use http (not https). Which is the right configuration (in term of type of binding, security mode) for setting up this configuration ? Thanx in advance... Andrea C

Answer 1

You understand that by using HTTP instead of HTTPS that the username and password will be sent over the network in plain text and might be easily sniffed?

If you're using .NET 3.5 you can choose to secure the message or the transport channel using a custom UserNamePasswordValidator. If you're using .NET 3.0 you you can only use message security with a custom UserNamePasswordValidator. See How to: Use a Custom User Name and Password Validator for more information.

For example, if you're using .NET 3.5 and you want to use transport security you could use the following configuration. You must remember to add a service behavior that lets WCF know about your custom UserNamePasswordValidator class.

<system.serviceModel> 
  <bindings>
  <wsHttpBinding>
      <binding name="Binding1">
        <security mode="Transport">
          <transport clientCredentialType="Basic" />
        </security>
      </binding>        
    </wsHttpBinding>
  </bindings>

  <behaviors>
    <serviceCredentials>
      <userNameAuthentication userNamePasswordValidationMode="Custom"
                              customUserNamePasswordValidatorType="** The fully qualified type name for your UserNamePasswordValidator **" />
    </serviceCredentials>
  </behaviors>
</system.serviceModel>