Click here to Skip to main content
14,484,540 members
Rate this:
Please Sign up or sign in to vote.
See more:
Hi experts,

I am new to WCF, learning right now.

I want to protect a basic WCF service sending username and password from the client. With every example I saw on the Web i'm stuck behind huge configurations and obscure errors SSL certificates etc...

also give me some proper steps to configure the configuration file.

I do not mind encrypting credential because it won't be a security critical service. I require only a general form of protection by just sending username and password, if it is correct the service has to reply else an error message thats all..

Thanks in advance.
Posted

1 solution

Rate this:
Please Sign up or sign in to vote.

Solution 1

If you're doing any type of production ready service, that requires authentication then, it really should be over SSL. The reason being, is because even if you encrypt a username & password (which you should do whether you're transmitting over SSL or not). Without SSL you're wide open for a MIM attack. Essentially, an attack would eavesdrop on your conversation, capture and save the encrypted user name & password. Now the attacker doesn't need to worry about decrypting the values all they need to worry about is sending the encrypted user name & password with every subsequent malicious request.

If you're testing stuff out locally on your own dev server you can create you own self signed SSL
certificate for testing purposes.

At the most basic level you could just do this.

Custom User Name and Password validator

However please don't deploy something on the net without properly securing it with SSL. Also don't try to role your own encryption.
   
Comments
Manikandan Sekar 24-Jul-13 11:34am
   
@CdnSecurityEngineer: Thanks for your valuable reply, i follow your instructions i am learning the WCF for the last two days only. I dono about anything in WCF. So i just need a basic secure mode only, also i referred the link you gave, i tried that method already the customvalidator class wont get called during execution. The page itself has a same report by a person. Kindly give me a link or steps to do basic secure WCF service which validates the username and password in the customvalidator class.
Thanks in advance
CdnSecurityEngineer 24-Jul-13 11:38am
   
I don't have time to give you the step by step. However, if you do this correctly... I know that this works.

This Blog post works.
Manikandan Sekar 24-Jul-13 11:43am
   
Ok i will give it a try

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100