R – WCF -> IIS 7.0 Partial Trust Hosting (.svc) -> BasicHttpBinding -> Authentication (UserName / Password) – > ASP.NET Membership Provider -> No SSL

asp.net-membershipbasichttpbindingwcfwcf-security

Basically my requirement is:

WCF Service Application Hosted on IIS 7.0 with Partial Trust
Endpoint exposed with BasicHttpBinding
Would like to enable basic Authentication (UserName / Password)
Would like to use ASP.NET membership for User Authentication
I don't want to setup SSL

I have seen some tutorials but they are talking about first enabling the SSL. I am able to create my sample WCF Service and Host is on IIS 7.0 with Partial Trust without any problem. Its just the Authentication part that I am struggling with.

Can anyone provide any assistance or point me to the place where relevant information can be found?

Best Answer

If you are using username / password over basichttpbinding without ssl, then the password is going over the network unencrypted.

I would recomend that you use SSL in this situation.

Yes you can use basic authenication with an asp.net membership provider, see:

http://custombasicauth.codeplex.com/

Related Solutions

.net – WCF, ASP.NET Membership Provider and Authentication Service

I finally found a way to make this work. For authentication I'm using the "WCF Authentication Service". When authenticating the service will try to set an authentication cookie. I need to get this cookie out of the response, and add it to any other request made to other web services on the same machine. The code to do that looks like this:

var authService = new AuthService.AuthenticationServiceClient();
var diveService = new DiveLogService.DiveLogServiceClient();

string cookieHeader = "";
using (OperationContextScope scope = new OperationContextScope(authService.InnerChannel))
{
    HttpRequestMessageProperty requestProperty = new HttpRequestMessageProperty();
    OperationContext.Current.OutgoingMessageProperties[HttpRequestMessageProperty.Name] = requestProperty;
    bool isGood = authService.Login("jonas", "jonas", string.Empty, true);
    MessageProperties properties = OperationContext.Current.IncomingMessageProperties;
    HttpResponseMessageProperty responseProperty = (HttpResponseMessageProperty)properties[HttpResponseMessageProperty.Name];
    cookieHeader = responseProperty.Headers[HttpResponseHeader.SetCookie];                
}

using (OperationContextScope scope = new OperationContextScope(diveService.InnerChannel))
{
    HttpRequestMessageProperty httpRequest = new HttpRequestMessageProperty();
    OperationContext.Current.OutgoingMessageProperties.Add(HttpRequestMessageProperty.Name, httpRequest);
    httpRequest.Headers.Add(HttpRequestHeader.Cookie, cookieHeader);
    var res = diveService.GetDives();
}

As you can see I have two service clients, one fo the authentication service, and one for the service I'm actually going to use. The first block will call the Login method, and grab the authentication cookie out of the response. The second block will add the header to the request before calling the "GetDives" service method.

I'm not happy with this code at all, and I think a better alternative might be to use "Web Reference" in stead of "Service Reference" and use the .NET 2.0 stack instead.

Wcf – Hosting WCF Service on a partial trust host

The hosting environment is set to partial trust so that your code won't be able to interfere with other people's code. There's no way for you to elevate the permissions the hosting environment grants you.

This means that you're limited to BasicHttpBinding, BasicHttpContextBinding, WebHttpBinding, WSHttpBinding, WSHttpContextBinding and WS2007HttpBinding.

You set set your website to use medium trust (most likely what your host is using) so that you can test your site locally with the same limitations as your host enforces. Add to your web.config to do this.

Best Answer

Related Solutions

.net – WCF, ASP.NET Membership Provider and Authentication Service

Wcf – Hosting WCF Service on a partial trust host

Related Topic