WCF: Passing Username and password to another service (No Https)

Question

I have to Create a WCF service (ServiceWrapper), which references another WCF Service(RealService).

I want Clients of ServiceWrapper to pass Username/password in authentication request.

The Operations of ServiceWrapper Call RealService. I need to pass the recieved Username/passowrd to Authenticate with RealSerivce and then call its Operations.

I need to host the service on Http and not Https(SSL/TLS).

Question: How to use the Client Credentails Recieved by a Service to authenticate with a Referenced Service without using Https(SSL/TLS)?

Question: How to use the Client Credentails Recieved by a Service to authenticate with a Referenced Service without using Https(SSL/TLS)? — Ashish, Jul 19 '12 at 19:47

score 3 · Answer 1 · edited Oct 31 '13 at 07:45

Your can use SOAP security. There are two SecurityModes for you - Message, TransportWithMessageCredential.

You should configure security mode (UserName) in <binding> section like this

<security mode="TransportWithMessageCredential">
    <transport clientCredentialType="" />
    <message clientCredentialType="UserName" />
</security>

Next, you should specify custom validator in <behavior> section

<behavior name="CommonBehavior">
    <serviceMetadata />
    <serviceDebug includeExceptionDetailInFaults="True"/>
    <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom"
             customUserNamePasswordValidatorType="Megatec.MasterTourService.CustomUserNameValidator, Megatec.MasterTourService"/>

        <serviceCertificate findValue="WCFServer" storeLocation="LocalMachine" 
            storeName="My" x509FindType="FindBySubjectName"/>
        <clientCertificate>
            <authentication certificateValidationMode="PeerTrust" />
        </clientCertificate>
    </serviceCredentials>
</behavior>

In your custom validator you can access and store user name and password, which were given as creditionals for ServiceWrapper.

using System.ServiceModel;
using System.IdentityModel.Selectors;
namespace MyService
{
    public class CustomUserNameValidator : UserNamePasswordValidator
    {
        public override void Validate(string userName, string password)
        {
            if (!(userName == "testMan" && password == "pass"))
                throw new FaultException("Incorrect login or password");

            // save your Usermame and Password for future usage.
         }
    }
}

When you need to access RealService, you can use userName and password as credentials, like my example below:

private readonly Dictionary<Type, Object> channelFactoryDictionary = new Dictionary<Type, Object>();
private ChannelFactory<T> GetChannelFactory<T>() where T : class
{
    if (channelFactoryDictionary.Keys.Contains(typeof(T)))
        return channelFactoryDictionary[typeof(T)] as ChannelFactory<T>;

    var channelFactory = new ChannelFactory<T>("*");
    channelFactory.Credentials.UserName.UserName = userName;
    channelFactory.Credentials.UserName.Password = password;

    channelFactoryDictionary.Add(typeof(T), channelFactory);

    return channelFactory;
}

Question: How to use the Client Credentails Recieved by a Service to authenticate with a Referenced Service without using Https(SSL/TLS)? — Ashish, Jul 19 '12 at 19:47
+1 In your step 3, I'd recommend storing the credentials in a custom OperationContext extension. That way, you're guaranteed that the stored values have the right lifetime (the duration of the service call). There's an [example here](http://hyperthink.net/blog/a-simple-ish-approach-to-custom-context-in-wcf/ "Example OperationContext extension"). — anton.burger, Jul 20 '12 at 09:51

score 1 · Answer 2 · answered Jul 18 '12 at 18:52

1

If SSL is not an option, you will need to use SOAP message security (SecurityMode = Message).

http://msdn.microsoft.com/en-us/library/ms733137.aspx

answered Jul 18 '12 at 18:52

Mike Goodwin

8,810
2
35
50

WCF: Passing Username and password to another service (No Https)

2 Answers2