wcf-security

First of all I apologize for my english... As I wrote in title I need to secure my WCF Service. I always used message security mode using ClientCredentialType="Certificate", checking in this way: <serviceCertificate findValue="cn=abc" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectDistinguishedName"/> <clientCertificate> <authentication certificateValidationMode="PeerTrust"/> </clientCertificate> This configuration worked well, but now I need to assign different privileges to the authenticated clients, I need Authorization in other words. Any idea? Thanks,

I have created WCF and I have used wsHttpBinding and MTOM as message transport with authentcation as "Windows". Now my service is not current SECURE, its plain HTTP, running on custom port. Is Windows Authentication of WCF's wsHttpBinding secure? can anyone see the password or guess through network trace? Environment Information: Hosted on Internet No Active Directory, its single server Connecting from my office with server's admin username and password On the client side, Password is not mentioned in config file, it is entered at runtime. It works correctly becausing entering wrong

WCF does my head in. What I'm trying to do is create a WCF client that will send SOAP messages that contain a username token and are signed with a certificate, but are not encrypted. I've found many articles and blogs with code which almost does what I want, but not quite, and now I'm stumped. Can anyone give me a simple example of how to do this? What I've done so far is: Use svcutil to generate a config file and WCF code from a wsdl and xsd Install certificates and load from the certificate store I've tried many different things and had many different errors and would like a an example which

Related to this question , I've got a custom UserNamePasswordValidator that logs in to our internal API. As part of this logging-in, I can discover the user's roles in our system. I'd like to later use these in PrincipalPermissionAttribute demands on the service methods, e.g.: [OperationContract] [PrincipalPermission(SecurityAction.Demand, Role = "System Administrator")] public string HelloWorld() { /* ... */ } To expand on Ladislav's answer: No. A custom UserNamePasswordValidator cannot be used as a role provider. The UserNamePasswordValidator runs in a separate context (or thread, or

According to our provider we need to send this kind of Header: <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- wssecurity-secext-1.0.xsd"> <wsse:UsernameToken wsu:Id="UsernameToken-12" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>string</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">string</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> But when checking out with

I am trying to connect to a third party SOAP 1.1 service that requires SSL security and username/password credentials. An example of what is expected is: <soapenv:Header> <wsse:Security> <wsse:UsernameToken> <wsse:Username>username</wsse:Username> <wsse:Password>password</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> My client configuration is as follows: <system.serviceModel> <bindings> <basicHttpBinding> <binding name="thirdpartyservicebindingconfig"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName" algorithmSuite="Default" /