1

I have a WCF application which I'd like to expose to some people, but for them to use the service I'd like to authenticate them somehow, is it possible to create my own membership provider which would check if the user is validated by calling the ValidateUser method? Also how would I then tell my bindings/behaviours to use this Membership Provider?

Edit

I have some queries about this too. For example: If I call a method on my webservice called QueryStock from my client. Does it first validate the user using my membership provider BEFORE firing the method or do I have to put pass the username and password as parameters and then do Membership.ValidateUser(username, password) before executing the code in my method?

CallumVass
  • 11,288
  • 26
  • 84
  • 154

4 Answers4

0

Yes it is possible. Take a look at this article, it shows a sample using a custom provider.

Rajesh
  • 7,766
  • 5
  • 22
  • 35
scheien
  • 2,457
  • 1
  • 19
  • 22
  • Unless I'm missing something, that link does now explain how to use membership providers with WCF - although it does explain how to do user validation without a membership provider. – Matt Roberts Apr 17 '12 at 12:37
  • I may have been a bit trigger happy, and misunderstood what he wanted. Even though he can use a custom provider, and are not limited to a membership provider. – scheien Apr 17 '12 at 12:44
  • What would be the best way of achieving validation? I already have a datastore and a method to check usernames/passwords, its not SQL tho. – CallumVass Apr 17 '12 at 13:28
  • public override void Validate(string username, string password) { if (!MyExistingValidationMethods(username, password) throw new SecurityTokenException("Username and password required"); } If it validates return true, and it will continue to the webservice method. – scheien Apr 17 '12 at 13:39
  • I've tried this method, it didn't work, probably due to the certificate, that's why I wanted to use a membership provider – CallumVass Apr 17 '12 at 13:49
0

This is all possible to do with WCF, I'm using it now for a WCF service we have.

You can create your own membership provider (just as you woud for an asp.net application), and then plumb that into WCF too. There's tonnes of information on this if you google for "WCF Membership provider". This post may help you too: WCF Authentication using SQL Membership Provider

Community
  • 1
  • 1
Matt Roberts
  • 26,371
  • 31
  • 103
  • 180
  • I don't really want to use a SQL membership provider or roles as I have my own functionality to validate the users, I just need to throw that in the `ValiateUser` method – CallumVass Apr 17 '12 at 13:05
0

You need to define a behaviour in teh config, for example:

<behaviors>
  <serviceBehaviors>
    <behavior name="Framework.Services.FrameworkBehaviour">
      ...
      <serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="CustomProvider" />
      <serviceCredentials>
        <serviceCertificate ... />
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="...." />
      </serviceCredentials>
    </behavior>

This is the binding snippet:

   <binding name="userNamePassOverSsl" ...>
      <security mode="TransportWithMessageCredential">
        <transport  />
        <message clientCredentialType="UserName" />
      </security>
    </binding>
Aliostad
  • 80,612
  • 21
  • 160
  • 208
0

I had this question too: Authentication in WCF for every call

As you can see, you may use ASP.NET authentication.

If you have your own method to validate users, I'd try to use a kind of façade to call every service method with user + token and keep a kind of "async session".

So you can create a new token the first time the users login and then in each call and then use it in the next call. Use just a table with user + token to secure all your calls.

Community
  • 1
  • 1
zapico
  • 2,396
  • 1
  • 21
  • 45