https://stackoverflow.com/questions/20865649
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianHere are some of the links which comes close to ur requirement: http://www.antaressolutions.com.au/blog/Lists/Posts/Post.aspx?ID=12 http://bartwullems.blogspot.in/2010/01/username-authentication-in-wcf.html WCF Service Authentication from MVC App sharing same Membership Provider
Security in WCF without using SSL
-
23-09-2022 - |
Pergunta
I have developed a MVC web application using WCF services .
For eg I have a service url as http://localhost/abcservice/method1. I am using basichttpbinding service.
In my controller I am adding the service reference and calling it:
serviceclient a = new serviceclient();
a.method1();
I am calling this service without using any authentication.
Out of curiosity, I have this question:
Is it possible to secure the WCF services hosted in IIS without buying SSL certificates ?
Is it possible to implement the authentication functionality by sending the username and password from the client and authenticating it?
If yes ,how? Any help would be greatly appreciated as most of the links will redirect using certificates for security.
Solução
Outras dicas
Since WCF is stateless you are going to need a reasonably sophisticated (read non-trivial) solution. Without providing code here is what I do:
Have a DB table which contains the list of current valid connections. You want to store user name, valid from/to date/time and a GUID token.
Provide an authentication WCF call that somehow authenticates the user. The somehow is probably what you are most interested in. You can authenticate against a list of valid users (again from a DB table) or against LDAP AD records. Or you could validate against Microsoft Passport/ Google Account, even Facebook. This is something you really need to consider, WHAT are you going to authenticate against. Once you decide that, then you can code for it. The simplest is to authenticate against a DB table - but its not very portable and requires maintenance of that table etc.
If the user was authenticated in step 2, create or update a valid connection record for the user assigning them a new GUID token and set valid from and to date/times (i.e. provide a lifetime for the token). Return the new token in step 2.
All subsequent WCF calls require the token to be passed in (along with the user name also if required). You check that the token is valid and if so, process the WCF call. If not, then ignore the call or do something meaningful.
As stated in other answers this has nothing to do with SSL. User authentication is major programming topic.
Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
