Basic Authentication with WCF REST service to something other than windows accounts?

Question

Is there a clean way to expose a WCF REST service that requires basic authentication, but where we handle the actual validation of the username/password ourselves? It seems that when you tell WCF in config that you want to use basic authentication, it forces you to turn on basic authentication in IIS and IIS can only do basic authentication against window accounts.

The only hack we have found is to lie to WCF and tell it there is no security on the service and then do authentication outside of the WCF stack using a generic IHttpModule (which has a proprietary config file to indicate which URLs have which authentication/authorization requirements).

It seems like there should be a better way. Anyone have one?

Answer 1

is the username and password set on the client like:

cc.ClientCredentials.UserName.UserName = ReturnUsername();
cc.ClientCredentials.UserName.Password = ReturnPassword();

Or are they embedded in the body of the REST message?

If the former, you can use a custom UserNamePasswordValidator: http://msdn.microsoft.com/en-us/library/aa702565.aspx

If the latter, you can set the service to no security, and use a custom ServiceAuthorizationManager to validate the contents of the message: http://msdn.microsoft.com/en-us/library/ms731774.aspx

Hope one or the other helps! I'd try to post sample code & config, but I'm @ home and dont have access to code, which is all @ work.

Answer 2

If you host it on IIS, using custom http module is the way to go. You can bring over the principal over to WCF side to do code access security. See HTTP Basic Authentication against Non-Windows Accounts in IIS/ASP.NET (Part 3 - Adding WCF Support). Also see Custom HTTP Basic Authentication for ASP.NET Web Services on .NET 3.5/VS 2008.

If you are not using IIS, you should be able to implement userNameAuthentication. See Finally! Usernames over Transport Authentication in WCF.

Answer 3

The WCF REST Contrib library enables this functionality:

http://wcfrestcontrib.codeplex.com/

It also allows you to secure individual operations.

Answer 4

See Custom Basic Authentication for RESTful services. Pablo's approach uses the interceptor functionality that is provided via the REST starter kit to solve the problem. If you do not want to depend on the REST starter kit, then you can create your own service host and use the inteceptor functionality provided.

Answer 5

Is there a non ASP.net approach as well? Just WCF 3.5 with webHttpBinding, REST and IIS would be great!!

Thanks for any comment. Cheers chris

Answer 6

I just have a follow up question with Mike's answer. If http://wcfrestcontrib.codeplex.com/ can be implemented in WCF REST 4.0 already? Since I cant find a way to implement Authentication in 4.0...

Thanks Regards, Ravi