Webhttpbinding with HTTPS and authentication with UserNamepPasswordValidator when hosted in IIS

Question

I'm trying to set up a WCF service hosted in IIS that exposes an endpoint that acts as a REST service producing JSON data, and I want to use HTTPS. I want to take care of the user authentication myself with the help of UserNamePasswordValidator, since the users are stored in a database.

At the moment I'm using a webhttpbinding to achieve the REST-fulness. My problem starts when I try to enable HTTPS (setting security mode to Transport). I have an SSL certificate on the server side (self signed for now), so that is all good, but I don't know how to configure the transport clientCredentialType of the binding so that the credentials are passed on to my implementation of UserNamePasswordValidator.

I've googled a lot, but can't seem to find any thing good. If I understand it correctly IIS handles the authentication before WCF and there is nothing to do about it? I would really prefer not to use a ASP.Net membership provider, but maybe that is an approach or is there another way?

Thank you!

Edit: Found this. Not really what I was hoping for...

Answer 1

After a lot of googleing around I have found a couple of possible solutions.

The recommended way to solve authentication with RESTful WCF services hosted in IIS seems to be to use tokens. Either with the help of a third party implementation of OAuth or to implement something your self. However, this will give me some problems with my nettcp endpoint, and I probably won't be able to use the same implementation for both endpoints (since i will need to do some token validation on calls coming via the webhttp endpoint)

The solution given by Ladislav Mrnka appears to be valid as well.

Answer 2

You can't use UserName credentials - that is message level authentication through SOAP header but JSON data exchange doesn't have such header. Try to setup Basic credentials in transport element (= transport level authentication). It should work with custom password validator since .NET 3.5. You will have to pass valid HTTP header for basic authentication to successfully authenticate.

Edit:

I didn't test it with IIS so there can be some problems because IIS trigger authentication before the custom validator is executed. In such case you will need custom HTTP module for authentication.