3

I'm currently designing and developing a WCF 4 RESTful service that will be used by mobile devices. I specifically picked REST because it's supposedly lightweight and the JSON output makes parsing simple for the mobile clients.

The service takes care of the mobile devices part of the entire application. But, it requires that users log in before using the service. Basic HTTP authentication is not an option: It's insecure and a man-in-the-middle attack could easily intercept the user accounts. SSL is an option here, but I have no idea how easily SSL works on a WCF RESTful service and how simple it is to implement on mobile devices.

I've looked into Digest Authentication, but I can't really find any good information on how to implement it. And that also brings up: How am I going to allow users to add a device to their account with this? Hash the username/password combination into the Digest header along with other information?

Could someone shed some light on this? Because I'm confused as hell. There is plenty of information on the net on how to implement WCF (RESTful) services, but the moment you need to secure it, the amount of information drops significantly... Articles are welcome.

Toolmaker
  • 554
  • 6
  • 22
  • is this a duplicate? http://stackoverflow.com/questions/6021612/wcf-restful-web-services-and-custom-authentication – ale May 27 '11 at 17:32

1 Answers1

2

Leveraging SSL is brain dead simple in WCF and should be supported by every mobile platform at this point. You should defintiely go basic auth with SSL to keep your life as simple as possible IMHO.

All you need to do to enable HTTPS on your WCF service is:

<webHttpBinding>
    <binding name="MyBinding">
        <security mode="TransportCredentialOnly">
           <transport clientCredentialType="Basic" />
        </security>
    </binding>
</webHttpBinding>

That will say "only allow access to this service over a secure transport and expect a basic auth credential to be passed".

Now, the only question is, where are you hosting your WCF service? If hosting in IIS you need simply need to configure the service certificate with it and you're all set.

Another option is to do SSL up front with an F5 device or something like that. Then you have to do a little more work because, by default, WCF will not let you pass crendentials over a non-secured transport. Then you need to get into customizing your own binding and setting the AllowInsecureTransport = true on the TransportSecurityBindingElement. This will basically say "trust me, I'm doing the right thing" to WCF and allow the service to initialize propertly even though the credential will flow over a non-secure binding.

Drew Marsh
  • 33,111
  • 3
  • 82
  • 100
  • The idea is to host the service from within IIS. I'm currently developing it with the ASP.NET Development Server, which doesn't support SSL. However, I'll whip out a test service + mobile client tomorrow to see if it works. I'll generate my own certificate, import it on my phone and link it in IIS. – Toolmaker May 29 '11 at 16:33