Login/Register
Webhttpbinding with HTTPS and authentication with UserNamepPasswordValidator when hosted in IIS
Asked Answered
Solved wcfiishttpswebhttpbinding
F

2

6

I'm trying to set up a WCF service hosted in IIS that exposes an endpoint that acts as a REST service producing JSON data, and I want to use HTTPS. I want to take care of the user authentication myself with the help of UserNamePasswordValidator, since the users are stored in a database.

At the moment I'm using a webhttpbinding to achieve the REST-fulness. My problem starts when I try to enable HTTPS (setting security mode to Transport). I have an SSL certificate on the server side (self signed for now), so that is all good, but I don't know how to configure the transport clientCredentialType of the binding so that the credentials are passed on to my implementation of UserNamePasswordValidator.

I've googled a lot, but can't seem to find any thing good. If I understand it correctly IIS handles the authentication before WCF and there is nothing to do about it? I would really prefer not to use a ASP.Net membership provider, but maybe that is an approach or is there another way?

Thank you!

Edit: Found this. Not really what I was hoping for...

Farina answered 15/6, 2011 at 8:6 Comment(1)
Is my scenario really that unusual? What are the alternatives? Isn't everybody writing a REST-ful service facing the same problem or am I missing something trivial? Say that you would like to expose a JSON API over HTTPS, but also expose the same functionality over TCP, and you want to authenticate calls against users stored in your application database.Farina
F
1

After a lot of googleing around I have found a couple of possible solutions.

The recommended way to solve authentication with RESTful WCF services hosted in IIS seems to be to use tokens. Either with the help of a third party implementation of OAuth or to implement something your self. However, this will give me some problems with my nettcp endpoint, and I probably won't be able to use the same implementation for both endpoints (since i will need to do some token validation on calls coming via the webhttp endpoint)

The solution given by Ladislav Mrnka appears to be valid as well.

Farina answered 16/6, 2011 at 12:16 Comment(0)
P
1

You can't use UserName credentials - that is message level authentication through SOAP header but JSON data exchange doesn't have such header. Try to setup Basic credentials in transport element (= transport level authentication). It should work with custom password validator since .NET 3.5. You will have to pass valid HTTP header for basic authentication to successfully authenticate.

Edit:

I didn't test it with IIS so there can be some problems because IIS trigger authentication before the custom validator is executed. In such case you will need custom HTTP module for authentication.

Precise answered 15/6, 2011 at 8:47 Comment(5)
I have tried to setup Basic credentials in transport element, but it seems that basic authentication is tied to windows authentication in IIS, and my custom UserNamePasswordValidator is never called. Are you sure that it should work? Maybe I've configured something wrong then..Farina
I found this link, and will give it a try... weblogs.asp.net/cibrax/archive/2009/03/20/…Farina
That link is dependent on WCF Rest Starter kit which is not under development any more.Precise
Ah, ok... So are you sure that Basic authentication with custom usernamepasswordvalidator should work in IIS or is there any other way to solve this?Farina
I haven't tried the custom HTTP module solution yet, since I will try on an approach with a token in the Authorization header, but I'll mark it as a solution since it seems to work just fineFarina
F
1

After a lot of googleing around I have found a couple of possible solutions.

The recommended way to solve authentication with RESTful WCF services hosted in IIS seems to be to use tokens. Either with the help of a third party implementation of OAuth or to implement something your self. However, this will give me some problems with my nettcp endpoint, and I probably won't be able to use the same implementation for both endpoints (since i will need to do some token validation on calls coming via the webhttp endpoint)

The solution given by Ladislav Mrnka appears to be valid as well.

Farina answered 16/6, 2011 at 12:16 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.