Click here to Skip to main content
15,884,099 members
Search within:


Secure WCF Service with basic authentication without SSL and all
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
WCF
security
Hi experts,

I am new to WCF, learning right now.

I want to protect a basic WCF service sending username and password from the client. With every example I saw on the Web i'm stuck behind huge configurations and obscure errors SSL certificates etc...

also give me some proper steps to configure the configuration file.

I do not mind encrypting credential because it won't be a security critical service. I require only a general form of protection by just sending username and password, if it is correct the service has to reply else an error message thats all..

Thanks in advance.
Posted
Add a Solution

1 solution

If you're doing any type of production ready service, that requires authentication then, it really should be over SSL. The reason being, is because even if you encrypt a username & password (which you should do whether you're transmitting over SSL or not). Without SSL you're wide open for a MIM attack. Essentially, an attack would eavesdrop on your conversation, capture and save the encrypted user name & password. Now the attacker doesn't need to worry about decrypting the values all they need to worry about is sending the encrypted user name & password with every subsequent malicious request.

If you're testing stuff out locally on your own dev server you can create you own self signed SSL
certificate for testing purposes.

At the most basic level you could just do this.

Custom User Name and Password validator

However please don't deploy something on the net without properly securing it with SSL. Also don't try to role your own encryption.
 
Share this answer
 
Posted
Comments
Manikandan Sekar 24-Jul-13 11:34am    
@CdnSecurityEngineer: Thanks for your valuable reply, i follow your instructions i am learning the WCF for the last two days only. I dono about anything in WCF. So i just need a basic secure mode only, also i referred the link you gave, i tried that method already the customvalidator class wont get called during execution. The page itself has a same report by a person. Kindly give me a link or steps to do basic secure WCF service which validates the username and password in the customvalidator class.
Thanks in advance
CdnSecurityEngineer 24-Jul-13 11:38am    
I don't have time to give you the step by step. However, if you do this correctly... I know that this works.

This Blog post works.
Manikandan Sekar 24-Jul-13 11:43am    
Ok i will give it a try
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Question on WCF and basic authentication...
Accessing an IIS Hosted WCF Service from a Java Client using HTTPS and Username Authentication
wcf service security
Regarding the wcf data service basic authentication
WCF Services and SSL
authentication on WCF service
HTTPS authentication in wcf restful Service
WCF Service Authentication
Custom Basic authentication for WCF Restful webservice
WCF Service authentication

Advertise
Privacy
Cookies
Terms of Use
Last Updated 24 Jul 2013
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900