views:

2589

answers:

2

I'm working on a project where I need the following

WCF service on server side (.net 3.5) WPF client for the client side (.net 3.0)

I have an existing application that I have to utilize the authentication and authorization from (on the server side). I also need to store some metadata about the user in the WCF Service's Thread Principal (a site object). I do this so that I can get at it in the WCF service if I absolutely have to, some business logic may require it So my plan was to do the flowing...

create a custom ServiceAuthorizationManager for the server and in there I will login the user and get the roles from the existing application. i will cache the "Site" object, and upon further reqests pull from the cache. I'll also need a CustomPrincipal object to hold my custom data. What I want is to impersonate the user so that I can use the builtin roles filtering in WCF like this

[PrincipalPermission(SecurityAction.Demand, Role = "Role1")]
public string[] RolesForUser(string username){}

I attempted to use the asp.net authorization with a custom roles provider, but I wasn't able to set anything on the Current Principal. I also attempted to use a custom IAuthorizationPolicy but problems arose. These problems dealt with being able to use the WCFClient.exe application, when it was discovering (using the mex endpoing) it wouldn't give any credentials, so the login would fail. I eventually decided that a ServiceAuthorizationManager was the right way to go, but I'm open to other suggestions.

On the client I will gather the credentials and put them into the WCF proxy class, as follows

proxy.ChannelFactory.Credentials.UserName.UserName = userName;
proxy.ChannelFactory.Credentials.UserName.Password = password;

As I started to go down this route, I noticed that I wasn't able to get the username/password in the CheckAccessCore method of my manager class. Further investigation showed that I should really be authenticating in a custom UserNamePasswordValidator. So I created one of those. Problem is that the validate method never got called.

Further investigation showed that in order for the validate method to be called my WCF service has to have either message or transport level security. The problem with that is that I can't figure out how to have a message or transport level security without an x.509 certificate. This product is going into several hundred incredibly locked down machines, and installing a certificate is not possible.

So my question is, is there a way to do what I'm asking without installing a certificate?

thanks in advance for any help.

A: 

Short answer; you can't. As soon as you use username/password you need some sort of secure channel.

However you don't need certificates on the clients; only on the server.

blowdart
+8  A: 

Actually it's possible, but you will need to implement your own binding.

Yaron Naveh developed a WCF binding that enables clear text username/password over HTTP. His article includes the code for the binding.

jassuncao