WCF custom username and password validation with a custom UserNamePasswordValidator

A few days ago I wrote an article about WCF message headers

WCF message headers with OperationContext and with MessageInspector and Custom Service Behavior

We used a scenario there that users who wanted to invoke the public service, had to pass their subscriptionid by message header. If the subscriptionid was not present, the user would not be allowed to invoke any service operation. To secure that scenario, we would have to use Transport or Message security, so that we are able of encrypting the subscriptionid message header, so that people with bad intentions would not be able to read your subscriptionid and use it for their own purposes.

Another possibility, maybe not such a good one, would be to work with a custom username and password validation. Let’s assume every company that is registered with us is registered with their company name and a private subscriptionid. Instead of using message headers to be granted access to the service, we will use a custom password validator against our store to validate against a username and password, in our case the company name and the subscriptionid which is their password.

In this case we will use message security with self-signed certificate. If you are not aware of what this is and how this works, please read up on this post:

WCF message security and client certificate authentication with self-signed certificates

Just as with the other blog posts, I’ll add the solution and service setup to be complete:

Continue reading →