I am trying to configure my WCF service to use a custom username validator over HTTP and my ASP.NET Development server. Following are the parts of the serviceModel...
<basicHttpBinding>
<binding name="Authentication" >
<security mode="TransportCredentialOnly" >
<message clientCredentialType="UserName"/>
</security>
</binding>
</basicHttpBinding>
<service behaviorConfiguration="ApiBehavior" name="CriticalWatch.AuthenticationAPI.AuthenticationAPI">
<endpoint address="/" binding="basicHttpBinding" bindingConfiguration="AuthenticationBinding" name="Authentication" contract="CriticalWatch.AuthenticationAPI.IAuthenticationAPI" />
</service>
I then have a behavior for the validator...
<serviceBehaviors>
<behavior name="ApiBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Service.CustomUserNameValidator, MyService" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
My CustomUserNameValidator inherits from the UserNamePasswordValidator. The validator class gets instantiated, but the Validate method is never called. Plus, the client can call the method without passing any username and password.
What am I missing?
At this time, I want a solution that does not require HTTPS. I want to rely on the username and password passed with the message.
Also, see my blog post on how to implement a binding that will allow you to pass username and password over HTTP without SSL: http://blog.tonysneed.com/2012/06/18/building-scalable-and-secure-wcf-services/ Keep in mind, however, it's not a good idea to pass credentials in the clear over a non-secure transport. The technique I describe assumes you are using another mechanism, such as IPSec, to secure the transport, and it is useful for a load balancer that supports SSL termination for better scalability.
To specifically address your scenario, I would recommend that you bite the bullet and set up your development environment with SSL so that you can use the HTTPS binding with WCF and your username-password validator. This is much easier than implementing a custom binding element and is not as difficult as you might think. In fact, if you have IIS Express installed, you get a self-signed certificate that you can easily use as a certificate on IIS, or with a Windows Service.
Cheers,
Tony Sneed
By default WCF framework doesn't allow transport of username/password over HTTP channel as its clear text and a security violation, hence when you switch to HTTPS the username/password validator works. If you want to have the username/password validator working on HTTP you might need to write your custom service host factory that does this. You can find one that has been out here from long ago called ClearUserNameBinding. It allows you to perform username/password validation over HTTP.
NOTE: As said its not advised to use username/password over HTTP due to security but if you are sure that your service is behind a firewall that is secured enough and the call from client to the firewall is secured so that the username/password is not compromised then you can use it
See How to set up Basic Authentication sans SSL in ASP.NET where a link to The HTTP request is unauthorized with client authentication scheme 'Basic' is provided. That got me out of a jam.
