2

I'm setting up a WCF service. The service has to use transport security over https and I need to use some kind of authentication to prevent unwanted usage.

Digging in to WCF theory has disapointed me so far.

What I have found out so far is that I can use UserName authentication with transport security. But then I will need a certificate to secure the message.

And this makes it difficult to consume with most .NET languages.

I am surprised that I cannot find any good information on how to authenticate a user with wcf without message security?

What I would like is that the client passes username and password in some way to my service.

And for the record. The service will be using transport security.

To break it down:

  1. How can I implement authentication without limiting interoperability?
  2. Is WCF services so cumbersome that I either have to use a completely open service. And use IP filtering or VPN to restrict access?

UPDATE: Since I am planing to use https with a SSL sertificate, will security mode "TransportWithMessageCredential" be the solution for me?

MatthewMartin
  • 32,326
  • 33
  • 105
  • 164
espvar
  • 1,045
  • 5
  • 16
  • 28

2 Answers2

1

The only way to get REAL security IS to use digital certificates.

See my own question on this topic for details.

Community
  • 1
  • 1
GameScripting
  • 16,092
  • 13
  • 59
  • 98
  • I understand that the ideal and most secure way is to use certificate security. Just after i posted this question i found some interesting reading. Since i am planing to use https with a SSL sertificate, will security mode "TransportWithMessageCredential" be the solution for me? – espvar Nov 28 '12 at 21:11
  • certificates are the only way to be secure. "TransportWithMessageCredential" will probably work for you. – GameScripting Nov 29 '12 at 07:39
0

TransportWithMessageCredential (AKA mixed-mode security) is indeed what you are looking for.

JohnC
  • 844
  • 4
  • 10