问题
I want to authenticate users of a WCF service against custom Membership and Role Providers but I don't want to have to secure the traffic between with a certificate.
Is it possible to use basicHttpBinding, passing custom credentials without a certificate?
I ask because I have a WCF service with all of the membership provider plumbing etc wired in via config and hosted under IIS, but the user details are not being passed through to IIS.
I have a WAN where the network is secure so I'm not worried about message encryption.
ASP.Net compatibility has been turned on, config is as below. It's all .Net 4.0;
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<membership defaultProvider="DemoMembershipProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add name="DemoMembershipProvider" type="DemoMembershipProvider" connectionStringName="SqlConn" applicationName="TestProvider" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Clear" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="DemoRoleProvider" >
<providers>
<clear/>
<add name="DemoRoleProvider" connectionStringName="blah" applicationName="TestProvider" type="DemoRoleProvider" />
</providers>
</roleManager>
<customErrors mode="Off" />
</system.web>
<system.serviceModel>
<services>
<service name="DataService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="BindingConfiguration" contract="IDataService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="BindingConfiguration">
<security mode="None">
<message clientCredentialType="UserName"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="DemoMembershipProvider" />
</serviceCredentials>
<serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="DemoRoleProvider" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
Client code is;
Console.WriteLine("Calling with valid credentials");
using (var y = new DataServiceRef.DataServiceClient())
{
y.ClientCredentials.UserName.UserName = "ryan";
y.ClientCredentials.UserName.Password = "password";
Console.WriteLine("Result: {0}", y.GetData("blah"));
}
回答1:
You must use custom binding because default bindings don't support sending user name and password without secure channel (either transport or message security where both require certificate). Use this custom binding:
<customBinding>
<binding name="UsernamePasswordOverHttp">
<textMessageEncoding messageVersion="Soap11" />
<security
authenticationMode="UserNameOverTransport"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
allowInsecureTransport="true" />
<httpTransport />
</binding>
</customBinding>
Another solution is using ClearUserNameBinding.
来源:https://stackoverflow.com/questions/5531377/wcf-with-custom-membershipprovider-and-no-x-509-cert-possible