WCF message security with username authentication and authorization provided by a membership provider

In this blog, I’ll show how to set up message security with username authentication and authorization provided by a membership provider. I will not discuss the basics about message security or self-signed certificates as I’ve reviewed those topics already.

If you do not know what self signed-certificates are, how they work and why you need them, first read this:
WCF transport security and client certificate authentication with self-signed certificates

If you do not know how to use and configure message security, first read this:
WCF message security and client certificate authentication with self-signed certificates

If you do not know what a membership provider is or how to use it, then I’m sorry, but you might want to read this as well:
MSDN walk-through: Creating a Web Site with Membership and User Login

Now we know how to work with message security, self-signed certificates and membership provider, let’s get a working WCF username authentication and authorization working with a membership provider.

My solution looks as following:

WCF Authentication and authorization with message security username

Continue reading

Advertisements

WCF custom username and password validation with a custom UserNamePasswordValidator

A few days ago I wrote an article about WCF message headers

WCF message headers with OperationContext and with MessageInspector and Custom Service Behavior

We used a scenario there that users who wanted to invoke the public service, had to pass their subscriptionid by message header. If the subscriptionid was not present, the user would not be allowed to invoke any service operation. To secure that scenario, we would have to use Transport or Message security, so that we are able of encrypting the subscriptionid message header, so that people with bad intentions would not be able to read your subscriptionid and use it for their own purposes.

Another possibility, maybe not such a good one, would be to work with a custom username and password validation. Let’s assume every company that is registered with us is registered with their company name and a private subscriptionid. Instead of using message headers to be granted access to the service, we will use a custom password validator against our store to validate against a username and password, in our case the company name and the subscriptionid which is their password.

In this case we will use message security with self-signed certificate. If you are not aware of what this is and how this works, please read up on this post:

WCF message security and client certificate authentication with self-signed certificate
s

Just as with the other blog posts, I’ll add the solution and service setup to be complete:

WCF Custom Username validation solution

Continue reading

WCF message security and client certificate authentication with self-signed certificates

For setting up the WCF message security with client certificate authentication, we will start from what we build at the previous post

WCF Transport Security and client certificate authentication with self-signed certificates

I suggest you read the previous post if you have not, as it handles some things about self-signed certificates, certificate mmc and IIS configuration. I will not repeat those things in this post. If you need them, you can read through the post mentioned above.

This was the solution overview we created in the previous post:

Solution overview

We will continue from what we created there, and make some very small changes to move from Transport Security to Message Security.
In the previous post where we set up Transport Security, we used basicHttpBinding. For this example I will move from basicHttpBinding to wsHttpBinding.
The reason for this decision you can see at section 3. NegiotiateServiceCredential

Having stated the above, let’s make the necessary changes to our solution of the Transport Security WCF Service.

Continue reading