Web service request authentication

Question

We're being really stuck here so I decided to ask your help.

Yesterday I've been asked to help to consume a web service, got the URL to the WSDL, and the user credentials to use. I've never really had anything to do with web services, but having a general idea about them and seeing a few examples I thought it can't be that bad. Obviously I was wrong as I'm stuck now.

Everything seems to be fine, the proxy class (or client) has been generated, building up requests and sending them are fine too, apart from the authentication part. Which we can't seem to figure out how to do.

Using the:

client.ChannelFactory.Credentials.UserName.UserName = "myusername";
client.ChannelFactory.Credentials.UserName.Password = "mypassword";

doesn't seem to work. (When I check the BindingElementCollection returbed by the client.Endpoint.Binding.CreateBindingElements() there's no SecurityBindingElement)

I've tried so many other ways of doing it, but I think I'm missing something basic and the lack of documentaion is not really helping either.

So the question is: How do I send the username and password when making a call to a web service, using WCF?

Edit: Just to clarify, the request should contain something similar to this:

 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
     <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-25763165">
        <wsse:Username>username</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"&gt;1DiaGTkOLk/CZhDaEpbkAaKRfGw=&lt;/wsse:Password&gt;
        <wsse:Nonce>6ApOnLn5Aq9KSH46pzzcZA==</wsse:Nonce>
        <wsu:Created>2009-05-13T18:59:23.309Z</wsu:Created>
     </wsse:UsernameToken>
  </wsse:Security>

Answer 1

I've achieved similar, using a regular HttpCookie.

To create the cookie:

[OperationContract]  
public void LoginToApi(string username, string password, string clientName)
{
// authenticate with DB, if successful ...
// construct a cookie
    HttpCookie httpCookie = new HttpCookie("SessionID","whateverneeded");
    HttpContext.Current.Response.SetCookie(httpCookie);
}

This appears in your regular HttpRequests, too. So you just reverse the process, checking the hash/session ID/username/password whatever you put in the cookie on receipt before doing anything.

Answer 2

var factory = new ChannelFactory('*');
factory.Credentials.UserName.UserName = 'bob';
factory.Credentials.UserName.Password = 'bob';
var proxy = factory.CreateChannel();

For more information you can explore Authorization In WCF-Based Services*( http ://msdn.microsoft.com/en-us/magazine/cc948343.aspx)*